To see the other types of publications on this topic, follow the link: Fast Gradient Sign Method (FGSM).
Journal articles on the topic 'Fast Gradient Sign Method (FGSM)'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 journal articles for your research on the topic 'Fast Gradient Sign Method (FGSM).'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Hong, Dian, Deng Chen, Yanduo Zhang, Huabing Zhou, and Liang Xie. "Attacking Robot Vision Models Efficiently Based on Improved Fast Gradient Sign Method." Applied Sciences 14, no. 3 (February 2, 2024): 1257. http://dx.doi.org/10.3390/app14031257.
Full textAbstract:
The robot vision model is the basis for the robot to perceive and understand the environment and make correct decisions. However, the security and stability of robot vision models are seriously threatened by adversarial examples. In this study, we propose an adversarial attack algorithm, RMS-FGSM, for robot vision models based on root-mean-square propagation (RMSProp). RMS-FGSM uses an exponentially weighted moving average (EWMA) to reduce the weight of the historical cumulative squared gradient. Additionally, it can suppress the gradient growth based on an adaptive learning rate. By integrating with the RMSProp, RMS-FGSM is more likely to generate optimal adversarial examples, and a high attack success rate can be achieved. Experiments on two datasets (MNIST and CIFAR-100) and several models (LeNet, Alexnet, and Resnet-101) show that the attack success rate of RMS-FGSM is higher than the state-of-the-art methods. Above all, our generated adversarial examples have a smaller perturbation than those generated by existing methods under the same attack success rate.
2
Long, Sheng, Wei Tao, Shuohao LI, Jun Lei, and Jun Zhang. "On the Convergence of an Adaptive Momentum Method for Adversarial Attacks." Proceedings of the AAAI Conference on Artificial Intelligence 38, no. 13 (March 24, 2024): 14132–40. http://dx.doi.org/10.1609/aaai.v38i13.29323.
Full textAbstract:
Adversarial examples are commonly created by solving a constrained optimization problem, typically using sign-based methods like Fast Gradient Sign Method (FGSM). These attacks can benefit from momentum with a constant parameter, such as Momentum Iterative FGSM (MI-FGSM), to enhance black-box transferability. However, the monotonic time-varying momentum parameter is required to guarantee convergence in theory, creating a theory-practice gap. Additionally, recent work shows that sign-based methods fail to converge to the optimum in several convex settings, exacerbating the issue. To address these concerns, we propose a novel method which incorporates both an innovative adaptive momentum parameter without monotonicity assumptions and an adaptive step-size scheme that replaces the sign operation. Furthermore, we derive a regret upper bound for general convex functions. Experiments on multiple models demonstrate the efficacy of our method in generating adversarial examples with human-imperceptible noise while achieving high attack success rates, indicating its superiority over previous adversarial example generation methods.
3
Pan, Chao, Qing Li, and Xin Yao. "Adversarial Initialization with Universal Adversarial Perturbation: A New Approach to Fast Adversarial Training." Proceedings of the AAAI Conference on Artificial Intelligence 38, no. 19 (March 24, 2024): 21501–9. http://dx.doi.org/10.1609/aaai.v38i19.30147.
Full textAbstract:
Traditional adversarial training, while effective at improving machine learning model robustness, is computationally intensive. Fast Adversarial Training (FAT) addresses this by using a single-step attack to generate adversarial examples more efficiently. Nonetheless, FAT is susceptible to a phenomenon known as catastrophic overfitting, wherein the model's adversarial robustness abruptly collapses to zero during the training phase. To address this challenge, recent studies have suggested adopting adversarial initialization with Fast Gradient Sign Method Adversarial Training (FGSM-AT), which recycles adversarial perturbations from prior epochs by computing gradient momentum. However, our research has uncovered a flaw in this approach. Given that data augmentation is employed during the training phase, the samples in each epoch are not identical. Consequently, the method essentially yields not the adversarial perturbation of a singular sample, but rather the Universal Adversarial Perturbation (UAP) of a sample and its data augmentation. This insight has led us to explore the potential of using UAPs for adversarial initialization within the context of FGSM-AT. We have devised various strategies for adversarial initialization utilizing UAPs, including single, class-based, and feature-based UAPs. Experiments conducted on three distinct datasets demonstrate that our method achieves an improved trade-off among robustness, computational cost, and memory footprint. Code is available at https://github.com/fzjcdt/fgsm-uap.
4
Wibawa, Sigit. "Analysis of Adversarial Attacks on AI-based With Fast Gradient Sign Method." International Journal of Engineering Continuity 2, no. 2 (August 1, 2023): 72–79. http://dx.doi.org/10.58291/ijec.v2i2.120.
Full textAbstract:
Artificial intelligence (AI) has become a key driving force in sectors from transportation to healthcare, and is opening up tremendous opportunities for technological advancement. However, behind this promising potential, AI also presents serious security challenges. This article aims to investigate attacks on AI and security challenges that must be faced in the era of artificial intelligence, this research aims to simulate and test the security of AI systems due to adversarial attacks. We can use the Python programming language for this, using several libraries and tools. One that is very popular for testing the security of AI models is CleverHans, and by understanding those threats we can protect the positive developments of AI in the future. this research provides a thorough understanding of attacks in AI technology especially in neural networks and machine learning, and the security challenge we face is that adding a little interference to the input data causes the AI model to produce wrong predictions in adversarial attacks there is the FGSM model which with an epsilon value of 0.1 causes the model suffered a drastic reduction in accuracy of around 66%, which means that the attack managed to mislead the model and lead to incorrect predictions. in the future understanding this threat is the key to protecting the positive development of AI. With a thorough understanding of AI attacks and the security challenges we address, we can build a solid foundation to effectively address these threats.
5
Kadhim, Ansam, and Salah Al-Darraji. "Face Recognition System Against Adversarial Attack Using Convolutional Neural Network." Iraqi Journal for Electrical and Electronic Engineering 18, no. 1 (November 6, 2021): 1–8. http://dx.doi.org/10.37917/ijeee.18.1.1.
Full textAbstract:
Face recognition is the technology that verifies or recognizes faces from images, videos, or real-time streams. It can be used in security or employee attendance systems. Face recognition systems may encounter some attacks that reduce their ability to recognize faces properly. So, many noisy images mixed with original ones lead to confusion in the results. Various attacks that exploit this weakness affect the face recognition systems such as Fast Gradient Sign Method (FGSM), Deep Fool, and Projected Gradient Descent (PGD). This paper proposes a method to protect the face recognition system against these attacks by distorting images through different attacks, then training the recognition deep network model, specifically Convolutional Neural Network (CNN), using the original and distorted images. Diverse experiments have been conducted using combinations of original and distorted images to test the effectiveness of the system. The system showed an accuracy of 93% using FGSM attack, 97% using deep fool, and 95% using PGD.
6
Pervin, Mst Tasnim, Linmi Tao, and Aminul Huq. "Adversarial attack driven data augmentation for medical images." International Journal of Electrical and Computer Engineering (IJECE) 13, no. 6 (December 1, 2023): 6285. http://dx.doi.org/10.11591/ijece.v13i6.pp6285-6292.
Full textAbstract:
An important stage in medical image analysis is segmentation, which aids in focusing on the required area of an image and speeds up findings. Fortunately, deep learning models have taken over with their high-performing capabilities, making this process simpler. The deep learning model’s reliance on vast data, however, makes it difficult to utilize for medical image analysis due to the scarcity of data samples. Too far, a number of data augmentations techniques have been employed to address the issue of data unavailability. Here, we present a novel method of augmentation that enabled the UNet model to segment the input dataset with about 90% accuracy in just 30 epochs. We describe the us- age of fast gradient sign method (FGSM) as an augmentation tool for adversarial machine learning attack methods. Besides, we have developed the method of Inverse FGSM, which im- proves performance by operating in the opposite way from FGSM adversarial attacks. In comparison to the conventional FGSM methodology, our strategy boosted performance up to 6% to 7% on average. The model became more resilient to hostile attacks because to these two strategies. An innovative implementation of adversarial machine learning and resilience augmentation is revealed by the overall analysis of this study.
7
Villegas-Ch, William, Angel Jaramillo-Alcázar, and Sergio Luján-Mora. "Evaluating the Robustness of Deep Learning Models against Adversarial Attacks: An Analysis with FGSM, PGD and CW." Big Data and Cognitive Computing 8, no. 1 (January 16, 2024): 8. http://dx.doi.org/10.3390/bdcc8010008.
Full textAbstract:
This study evaluated the generation of adversarial examples and the subsequent robustness of an image classification model. The attacks were performed using the Fast Gradient Sign method, the Projected Gradient Descent method, and the Carlini and Wagner attack to perturb the original images and analyze their impact on the model’s classification accuracy. Additionally, image manipulation techniques were investigated as defensive measures against adversarial attacks. The results highlighted the model’s vulnerability to conflicting examples: the Fast Gradient Signed Method effectively altered the original classifications, while the Carlini and Wagner method proved less effective. Promising approaches such as noise reduction, image compression, and Gaussian blurring were presented as effective countermeasures. These findings underscore the importance of addressing the vulnerability of machine learning models and the need to develop robust defenses against adversarial examples. This article emphasizes the urgency of addressing the threat posed by harmful standards in machine learning models, highlighting the relevance of implementing effective countermeasures and image manipulation techniques to mitigate the effects of adversarial attacks. These efforts are crucial to safeguarding model integrity and trust in an environment marked by constantly evolving hostile threats. An average 25% decrease in accuracy was observed for the VGG16 model when exposed to the Fast Gradient Signed Method and Projected Gradient Descent attacks, and an even more significant 35% decrease with the Carlini and Wagner method.
8
Kurniawan S, Putu Widiarsa, Yosi Kristian, and Joan Santoso. "Pemanfaatan Deep Convulutional Auto-encoder untuk Mitigasi Serangan Adversarial Attack pada Citra Digital." J-INTECH 11, no. 1 (July 4, 2023): 50–59. http://dx.doi.org/10.32664/j-intech.v11i1.845.
Full textAbstract:
Serangan adversarial pada citra digital merupakan ancaman serius bagi penggunaan teknologi machine learning dalam berbagai aplikasi kehidupan sehari-hari. Teknik Fast Gradient Sign Method (FGSM) telah terbukti efektif dalam melakukan serangan pada model machine learning, termasuk pada citra digital yang terdapat dalam dataset ImageNet. Penelitian ini bertujuan untuk mengatasi permasalahan tersebut dengan memanfaatkan teknik Deep Convolutional Auto-encoder (AE) sebagai metode mitigasi serangan adversarial pada citra digital. Penelitian dilakukan dengan cara melakukan serangan FGSM pada dataset ImageNet dan melakukan mitigasi dengan menerapkan teknik AE pada citra digital yang telah diberi serangan. Hasil penelitian menunjukkan bahwa serangan FGSM dapat dilakukan pada sebagian besar citra digital, namun ada beberapa citra yang lebih tahan terhadap serangan. Selain itu, teknik mitigasi AE efektif dalam mengurangi dampak dari serangan adversarial pada sebagian besar citra digital. Akurasi model serangan dan mitigasi masing-masing sebesar 85.42% dan 87.50%. Meskipun masih ada beberapa citra yang rentan terhadap serangan meskipun telah diterapkan teknik mitigasi.
9
Kumari, Rekha, Tushar Bhatia, Peeyush Kumar Singh, and Kanishk Vikram Singh. "Dissecting Adversarial Attacks: A Comparative Analysis of Adversarial Perturbation Effects on Pre-Trained Deep Learning Models." INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT 07, no. 11 (November 1, 2023): 1–11. http://dx.doi.org/10.55041/ijsrem27337.
Full textAbstract:
It is well known that the majority of neural networks widely employed today are extremely susceptible to adversarial perturbations which causes the misclassification of the output. This, in turn, can cause severe security concerns. In this paper, we meticulously evaluate the robustness of prominent pre-trained deep learning models against images that are modified with the Fast Gradient Sign Method (FGSM) attack. For this purpose, we have selected the following models: InceptionV3, InceptionResNetV2, ResNet152V2, Xception, DenseNet121, and MobileNetV2. All these models are pre-trained on ImageNet, and hence, we use our custom 10- animals test dataset to produce clean as well as misclassified output. Rather than focusing solely on prediction accuracy, our study uniquely quantifies the perturbation required to alter output labels, shedding light on the models' susceptibility to misclassification. The outcomes underscore varying vulnerabilities among the models to FGSM attacks, providing nuanced insights crucial for fortifying neural networks against adversarial threats. Key Words: Adversarial Perturbations, Deep Learning, ImageNet, FGSM Attack, Neural Networks, Pre-trained Models
10
Pal, Biprodip, Debashis Gupta, Md Rashed-Al-Mahfuz, Salem A. Alyami, and Mohammad Ali Moni. "Vulnerability in Deep Transfer Learning Models to Adversarial Fast Gradient Sign Attack for COVID-19 Prediction from Chest Radiography Images." Applied Sciences 11, no. 9 (May 7, 2021): 4233. http://dx.doi.org/10.3390/app11094233.
Full textAbstract:
The COVID-19 pandemic requires the rapid isolation of infected patients. Thus, high-sensitivity radiology images could be a key technique to diagnose patients besides the polymerase chain reaction approach. Deep learning algorithms are proposed in several studies to detect COVID-19 symptoms due to the success in chest radiography image classification, cost efficiency, lack of expert radiologists, and the need for faster processing in the pandemic area. Most of the promising algorithms proposed in different studies are based on pre-trained deep learning models. Such open-source models and lack of variation in the radiology image-capturing environment make the diagnosis system vulnerable to adversarial attacks such as fast gradient sign method (FGSM) attack. This study therefore explored the potential vulnerability of pre-trained convolutional neural network algorithms to the FGSM attack in terms of two frequently used models, VGG16 and Inception-v3. Firstly, we developed two transfer learning models for X-ray and CT image-based COVID-19 classification and analyzed the performance extensively in terms of accuracy, precision, recall, and AUC. Secondly, our study illustrates that misclassification can occur with a very minor perturbation magnitude, such as 0.009 and 0.003 for the FGSM attack in these models for X-ray and CT images, respectively, without any effect on the visual perceptibility of the perturbation. In addition, we demonstrated that successful FGSM attack can decrease the classification performance to 16.67% and 55.56% for X-ray images, as well as 36% and 40% in the case of CT images for VGG16 and Inception-v3, respectively, without any human-recognizable perturbation effects in the adversarial images. Finally, we analyzed that correct class probability of any test image which is supposed to be 1, can drop for both considered models and with increased perturbation; it can drop to 0.24 and 0.17 for the VGG16 model in cases of X-ray and CT images, respectively. Thus, despite the need for data sharing and automated diagnosis, practical deployment of such program requires more robustness.
11
Kim, Hoki, Woojin Lee, and Jaewook Lee. "Understanding Catastrophic Overfitting in Single-step Adversarial Training." Proceedings of the AAAI Conference on Artificial Intelligence 35, no. 9 (May 18, 2021): 8119–27. http://dx.doi.org/10.1609/aaai.v35i9.16989.
Full textAbstract:
Although fast adversarial training has demonstrated both robustness and efficiency, the problem of "catastrophic overfitting" has been observed. This is a phenomenon in which, during single-step adversarial training, the robust accuracy against projected gradient descent (PGD) suddenly decreases to 0% after a few epochs, whereas the robust accuracy against fast gradient sign method (FGSM) increases to 100%. In this paper, we demonstrate that catastrophic overfitting is very closely related to the characteristic of single-step adversarial training which uses only adversarial examples with the maximum perturbation, and not all adversarial examples in the adversarial direction, which leads to decision boundary distortion and a highly curved loss surface. Based on this observation, we propose a simple method that not only prevents catastrophic overfitting, but also overrides the belief that it is difficult to prevent multi-step adversarial attacks with single-step adversarial training.
12
Lu, Fan. "Adversarial attack against deep learning algorithms for gun category detection." Applied and Computational Engineering 53, no. 1 (March 28, 2024): 190–96. http://dx.doi.org/10.54254/2755-2721/53/20241368.
Full textAbstract:
Contemporarily, many deep learning methods have been generated for weapon detection. The weapon detection technology could be used in investigating violent cases. However, the existing gun detection models lack adversarial attack verification for special types of firearms and special picture samples. This study investigates the efficiency of Fast Gradient Sign Method(FGSM) adversarial attack in the field of weapon detection and the influence of weapon category on the attacks result. The dataset is scraped from IMDBF.com and the model being attacked is MobileNetV2, created by HeeebsInc in 2020. As a result, using FGSM methods, adversarial samples generated in film and television graphics containing pistols and rifles can effectively decrease the accuracy of the weapon detection model above. Besides, it is observed the difference of eps needed in attacking different types of gun graphics like film pictures and collection photos. These results verify that some weapon detection models have weak anti-interference, which may provide some ideas for future attacks like BIM or PGD attack.
13
Cui, Chenrui. "Adversarial attack study on VGG16 for cat and dog image classification task." Applied and Computational Engineering 50, no. 1 (March 25, 2024): 170–75. http://dx.doi.org/10.54254/2755-2721/50/20241438.
Full textAbstract:
Contemporarily, adversarial attacks on deep learning models have garnered significant attention. With this in mind, this study delves into the effectiveness of adversarial attacks specifically targeted at the VGG16 model in the context of cat and dog image classification. Employing the Fast Gradient Sign Method (FGSM) for attack, the experimental findings reveal that, within a certain perturbation range, FGSM attacks can indeed reduce the model's average confidence, albeit with relatively minor impacts on accuracy. According to the analysis, the accuracy drops (decreased from 88.5% to 88.2%) is not significant, possibly due to limited classes. With small , perturbation results in a notable confidence drop. However, at higher , perturbation impact lessens, averaging around 50% confidence for cat and dog classes, indicating a 2-class scenario's upper limit in non-targeted FGSM attacks. Additionally, this research underscores the need for further exploration into various adversarial attack methods and model interpretability within the realm of image classification. Overall, these results shed light on guiding further exploration of adversarial attack defense strategies, holding significant potential for real-world applications in enhancing the robustness of AI systems against adversarial attacks.
14
Mohamed, Mahmoud, and Mohamed Bilal. "Comparing the Performance of Deep Denoising Sparse Autoencoder with Other Defense Methods Against Adversarial Attacks for Arabic letters." Jordan Journal of Electrical Engineering 10, no. 1 (2024): 122. http://dx.doi.org/10.5455/jjee.204-1687363297.
Full textAbstract:
The aim of this paper is to compare how effectively the Deep Denoising Sparse Autoencoder (DDSA) method performs compared to other defense strategies - like adversarial training, defensive distillation and feature squeezing - in dealing with adversarial attacks for Arabic letters. We strive to evaluate both the accuracy and robustness as well as efficiency of these methods by examining a test set from the Arabic Handwritten Characters Dataset while considering adversarial attacks. Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and Carlini and Wagner (C&W) are all part of this. Our research findings demonstrate that DDSA surpasses the rest of the defense methods in terms of classification accuracy and robustness. This exceptional performance is due to the distinctive attributes of DDSA, which concentrate on acquiring distinguishing features and integrating spatial information to improve defense against adversarial perturbations. While it necessitates more computational resources, DDSA's superior performance validates the additional expenses, particularly in critical applications where misclassification may have severe implications.
15
Navjot Kaur. "Robustness and Security in Deep Learning: Adversarial Attacks and Countermeasures." Journal of Electrical Systems 20, no. 3s (April 4, 2024): 1250–57. http://dx.doi.org/10.52783/jes.1436.
Full textAbstract:
Deep learning models have demonstrated remarkable performance across various domains, yet their susceptibility to adversarial attacks remains a significant concern. In this study, we investigate the effectiveness of three defense mechanisms—Baseline (No Defense), Adversarial Training, and Input Preprocessing—in enhancing the robustness of deep learning models against adversarial attacks. The baseline model serves as a reference point, highlighting the vulnerability of deep learning systems to adversarial perturbations. Adversarial Training, involving the augmentation of training data with adversarial examples, significantly improves model resilience, demonstrating higher accuracy under both Fast Gradient Sign Method (FGSM) and Iterative Gradient Sign Method (IGSM) attacks. Similarly, Input Preprocessing techniques mitigate the impact of adversarial perturbations on model predictions by modifying input data before inference. However, each defense mechanism presents trade-offs in terms of computational complexity and performance. Adversarial Training requires additional computational resources and longer training times, while Input Preprocessing techniques may introduce distortions affecting model generalization. Future research directions may focus on developing more sophisticated defense mechanisms, including ensemble methods, gradient masking, and certified defense strategies, to provide robust and reliable deep learning systems in real-world scenarios. This study contributes to a deeper understanding of defense mechanisms against adversarial attacks in deep learning, highlighting the importance of implementing robust strategies to enhance model resilience.
16
Zhang, Qikun, Yuzhi Zhang, Yanling Shao, Mengqi Liu, Jianyong Li, Junling Yuan, and Ruifang Wang. "Boosting Adversarial Attacks with Nadam Optimizer." Electronics 12, no. 6 (March 20, 2023): 1464. http://dx.doi.org/10.3390/electronics12061464.
Full textAbstract:
Deep neural networks are extremely vulnerable to attacks and threats from adversarial examples. These adversarial examples deliberately crafted by attackers can easily fool classification models by adding imperceptibly tiny perturbations on clean images. This brings a great challenge to image security for deep learning. Therefore, studying and designing attack algorithms for generating adversarial examples is essential for building robust models. Moreover, adversarial examples are transferable in that they can mislead multiple different classifiers across models. This makes black-box attacks feasible for practical applications. However, most attack methods have low success rates and weak transferability against black-box models. This is because they often overfit the model during the production of adversarial examples. To address this issue, we propose a Nadam iterative fast gradient method (NAI-FGM), which combines an improved Nadam optimizer with gradient-based iterative attacks. Specifically, we introduce the look-ahead momentum vector and the adaptive learning rate component based on the Momentum Iterative Fast Gradient Sign Method (MI-FGSM). The look-ahead momentum vector is dedicated to making the loss function converge faster and get rid of the poor local maximum. Additionally, the adaptive learning rate component is used to help the adversarial example to converge to a better extreme point by obtaining adaptive update directions according to the current parameters. Furthermore, we also carry out different input transformations to further enhance the attack performance before using NAI-FGM for attack. Finally, we consider attacking the ensemble model. Extensive experiments show that the NAI-FGM has stronger transferability and black-box attack capability than advanced momentum-based iterative attacks. In particular, when using the adversarial examples produced by way of ensemble attack to test the adversarially trained models, the NAI-FGM improves the success rate by 8% to 11% over the other attack methods. Last but not least, the NAI-DI-TI-SI-FGM combined with the input transformation achieves a success rate of 91.3% on average.
17
Yang, Bo, Kaiyong Xu, Hengjun Wang, and Hengwei Zhang. "Random Transformation of image brightness for adversarial attack." Journal of Intelligent & Fuzzy Systems 42, no. 3 (February 2, 2022): 1693–704. http://dx.doi.org/10.3233/jifs-211157.
Full textAbstract:
Deep neural networks (DNNs) are vulnerable to adversarial examples, which are crafted by adding small, human-imperceptible perturbations to the original images, but make the model output inaccurate predictions. Before DNNs are deployed, adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, the attack success rate, i.e., the transferability of adversarial examples, still needs to be improved. Based on image augmentation methods, this paper found that random transformation of image brightness can eliminate overfitting in the generation of adversarial examples and improve their transferability. In light of this phenomenon, this paper proposes an adversarial example generation method, which can be integrated with Fast Gradient Sign Method (FGSM)-related methods to build a more robust gradient-based attack and to generate adversarial examples with better transferability. Extensive experiments on the ImageNet dataset have demonstrated the effectiveness of the aforementioned method. Whether on normally or adversarially trained networks, our method has a higher success rate for black-box attacks than other attack methods based on data augmentation. It is hoped that this method can help evaluate and improve the robustness of models.
18
Vyas, Dhairya, and Viral V. Kapadia. "Designing defensive techniques to handle adversarial attack on deep learning based model." PeerJ Computer Science 10 (March 8, 2024): e1868. http://dx.doi.org/10.7717/peerj-cs.1868.
Full textAbstract:
Adversarial attacks pose a significant challenge to deep neural networks used in image classification systems. Although deep learning has achieved impressive success in various tasks, it can easily be deceived by adversarial patches created by adding subtle yet deliberate distortions to natural images. These attacks are designed to remain hidden from both human and computer-based classifiers. Considering this, we propose novel model designs that enhance adversarial strength with incorporating feature denoising blocks. Exclusively, proposed model utilizes Gaussian data augmentation (GDA) and spatial smoothing (SS) to denoise the features. These techniques are reasonable and can be mixed in a joint finding context to accomplish superior recognition levels versus adversarial assaults while also balancing other defenses. We tested the proposed approach on the ImageNet and CIFAR-10 datasets using 10-iteration projected gradient descent (PGD), fast gradient sign method (FGSM), and DeepFool attacks. The proposed method achieved an accuracy of 95.62% in under four minutes, which is highly competitive compared to existing approaches. We also conducted a comparative analysis with existing methods.
19
Zou, Junhua, Yexin Duan, Boyu Li, Wu Zhang, Yu Pan, and Zhisong Pan. "Making Adversarial Examples More Transferable and Indistinguishable." Proceedings of the AAAI Conference on Artificial Intelligence 36, no. 3 (June 28, 2022): 3662–70. http://dx.doi.org/10.1609/aaai.v36i3.20279.
Full textAbstract:
Fast gradient sign attack series are popular methods that are used to generate adversarial examples. However, most of the approaches based on fast gradient sign attack series cannot balance the indistinguishability and transferability due to the limitations of the basic sign structure. To address this problem, we propose a method, called Adam Iterative Fast Gradient Tanh Method (AI-FGTM), to generate indistinguishable adversarial examples with high transferability. Besides, smaller kernels and dynamic step size are also applied to generate adversarial examples for further increasing the attack success rates. Extensive experiments on an ImageNet-compatible dataset show that our method generates more indistinguishable adversarial examples and achieves higher attack success rates without extra running time and resource. Our best transfer-based attack NI-TI-DI-AITM can fool six classic defense models with an average success rate of 89.3% and three advanced defense models with an average success rate of 82.7%, which are higher than the state-of-the-art gradient-based attacks. Additionally, our method can also reduce nearly 20% mean perturbation. We expect that our method will serve as a new baseline for generating adversarial examples with better transferability and indistinguishability.
20
Utomo, Sapdo, Adarsh Rouniyar, Hsiu-Chun Hsu, and Pao-Ann Hsiung. "Federated Adversarial Training Strategies for Achieving Privacy and Security in Sustainable Smart City Applications." Future Internet 15, no. 11 (November 20, 2023): 371. http://dx.doi.org/10.3390/fi15110371.
Full textAbstract:
Smart city applications that request sensitive user information necessitate a comprehensive data privacy solution. Federated learning (FL), also known as privacy by design, is a new paradigm in machine learning (ML). However, FL models are susceptible to adversarial attacks, similar to other AI models. In this paper, we propose federated adversarial training (FAT) strategies to generate robust global models that are resistant to adversarial attacks. We apply two adversarial attack methods, projected gradient descent (PGD) and the fast gradient sign method (FGSM), to our air pollution dataset to generate adversarial samples. We then evaluate the effectiveness of our FAT strategies in defending against these attacks. Our experiments show that FGSM-based adversarial attacks have a negligible impact on the accuracy of global models, while PGD-based attacks are more effective. However, we also show that our FAT strategies can make global models robust enough to withstand even PGD-based attacks. For example, the accuracy of our FAT-PGD and FL-mixed-PGD models is 81.13% and 82.60%, respectively, compared to 91.34% for the baseline FL model. This represents a reduction in accuracy of 10%, but this could be potentially mitigated by using a more complex and larger model. Our results demonstrate that FAT can enhance the security and privacy of sustainable smart city applications. We also show that it is possible to train robust global models from modest datasets per client, which challenges the conventional wisdom that adversarial training requires massive datasets.
21
Han, Dong, Reza Babaei, Shangqing Zhao, and Samuel Cheng. "Exploring the Efficacy of Learning Techniques in Model Extraction Attacks on Image Classifiers: A Comparative Study." Applied Sciences 14, no. 9 (April 29, 2024): 3785. http://dx.doi.org/10.3390/app14093785.
Full textAbstract:
In the rapidly evolving landscape of cybersecurity, model extraction attacks pose a significant challenge, undermining the integrity of machine learning models by enabling adversaries to replicate proprietary algorithms without direct access. This paper presents a comprehensive study on model extraction attacks towards image classification models, focusing on the efficacy of various Deep Q-network (DQN) extensions for enhancing the performance of surrogate models. The goal is to identify the most efficient approaches for choosing images that optimize adversarial benefits. Additionally, we explore synthetic data generation techniques, including the Jacobian-based method, Linf-projected Gradient Descent (LinfPGD), and Fast Gradient Sign Method (FGSM) aiming to facilitate the training of adversary models with enhanced performance. Our investigation also extends to the realm of data-free model extraction attacks, examining their feasibility and performance under constrained query budgets. Our investigation extends to the comparison of these methods under constrained query budgets, where the Prioritized Experience Replay (PER) technique emerges as the most effective, outperforming other DQN extensions and synthetic data generation methods. Through rigorous experimentation, including multiple trials to ensure statistical significance, this work provides valuable insights into optimizing model extraction attacks.
22
Trinh Quang Kien. "Improving the robustness of binarized neural network using the EFAT method." Journal of Military Science and Technology, CSCE5 (December 15, 2021): 14–23. http://dx.doi.org/10.54939/1859-1043.j.mst.csce5.2021.14-23.
Full textAbstract:
In recent years with the explosion of research in artificial intelligence, deep learning models based on convolutional neural networks (CNNs) are one of the promising architectures for practical applications thanks to their reasonably good achievable accuracy. However, CNNs characterized by convolutional layers often have a large number of parameters and computational workload, leading to large energy consumption for training and network inference. The binarized neural network (BNN) model has been recently proposed to overcome that drawback. The BNNs use binary representation for the inputs and weights, which inherently reduces memory requirements and simplifies computations while still maintaining acceptable accuracy. BNN thereby is very suited for the practical realization of Edge-AI application on resource- and energy-constrained devices such as embedded or mobile devices. As CNN and BNN both compose linear transformations layers, they can be fooled by adversarial attack patterns. This topic has been actively studied recently but most of them are for CNN. In this work, we examine the impact of the adversarial attack on BNNs and propose a solution to improve the accuracy of BNN against this type of attack. Specifically, we use an Enhanced Fast Adversarial Training (EFAT) method to train the network that helps the BNN be more robust against major adversarial attack models with a very short training time. Experimental results with Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) attack models on our trained BNN network with MNIST dataset increased accuracy from 31.34% and 0.18% to 96.96% and 85.08%, respectively.
23
Rudd-Orthner, Richard N. M., and Lyudmila Mihaylova. "Deep ConvNet: Non-Random Weight Initialization for Repeatable Determinism, Examined with FSGM." Sensors 21, no. 14 (July 13, 2021): 4772. http://dx.doi.org/10.3390/s21144772.
Full textAbstract:
A repeatable and deterministic non-random weight initialization method in convolutional layers of neural networks examined with the Fast Gradient Sign Method (FSGM). Using the FSGM approach as a technique to measure the initialization effect with controlled distortions in transferred learning, varying the dataset numerical similarity. The focus is on convolutional layers with induced earlier learning through the use of striped forms for image classification. Which provided a higher performing accuracy in the first epoch, with improvements of between 3–5% in a well known benchmark model, and also ~10% in a color image dataset (MTARSI2), using a dissimilar model architecture. The proposed method is robust to limit optimization approaches like Glorot/Xavier and He initialization. Arguably the approach is within a new category of weight initialization methods, as a number sequence substitution of random numbers, without a tether to the dataset. When examined under the FGSM approach with transferred learning, the proposed method when used with higher distortions (numerically dissimilar datasets), is less compromised against the original cross-validation dataset, at ~31% accuracy instead of ~9%. This is an indication of higher retention of the original fitting in transferred learning.
24
Xu, Wei, and Veerawat Sirivesmas. "Study on Network Virtual Printing Sculpture Design using Artificial Intelligence." International Journal of Communication Networks and Information Security (IJCNIS) 15, no. 1 (May 30, 2023): 132–45. http://dx.doi.org/10.17762/ijcnis.v15i1.5694.
Full textAbstract:
Sculptures are visionaries of a country’s culture from time immemorial. Chinese sculptures hold an aesthetic value in the global market, catalysed by opening the country's gates. On the other hand, this paved the way for many duplicates and replicates of the original sculptures, defaming the entire artwork. This work proposes a defrauding model that deploys a Siamese-based Convolutional Neural Network (S-CNN) that effectively detects the mimicked sculpture images. Nevertheless, adversarial attacks are gaining momentum, compromising the deep learning models to make predictions for faked or forged images. The work uses a Simplified Graph Convolutional Network (SGCN) to misclassify the adversarial images generated by the Fast Gradient Sign Method (FGSM) to combat this attack. The model's training is done with adversarial images of the Imagenet dataset. By transfer learning, the model is rested for its efficacy in identifying the adversarial examples of the Chinese God images dataset. The results showed that the proposed model could detect the generated adversarial examples with a reasonable misclassification rate.
25
Guan, Dejian, and Wentao Zhao . "Adversarial Detection Based on Inner-Class Adjusted Cosine Similarity." Applied Sciences 12, no. 19 (September 20, 2022): 9406. http://dx.doi.org/10.3390/app12199406.
Full textAbstract:
Deep neural networks (DNNs) have attracted extensive attention because of their excellent performance in many areas; however, DNNs are vulnerable to adversarial examples. In this paper, we propose a similarity metric called inner-class adjusted cosine similarity (IACS) and apply it to detect adversarial examples. Motivated by the fast gradient sign method (FGSM), we propose to utilize an adjusted cosine similarity which takes both the feature angle and scale information into consideration and therefore is able to effectively discriminate subtle differences. Given the predicted label, the proposed IACS is measured between the features of the test sample and those of the normal samples with the same label. Unlike other detection methods, we can extend our method to extract disentangled features with different deep network models but are not limited to the target model (the adversarial attack model). Furthermore, the proposed method is able to detect adversarial examples crossing attacks, that is, a detector learned with one type of attack can effectively detect other types. Extensive experimental results show that the proposed IACS features can well distinguish adversarial examples and normal examples and achieve state-of-the-art performance.
26
Zhao, Weimin, Sanaa Alwidian, and Qusay H. Mahmoud. "Adversarial Training Methods for Deep Learning: A Systematic Review." Algorithms 15, no. 8 (August 12, 2022): 283. http://dx.doi.org/10.3390/a15080283.
Full textAbstract:
Deep neural networks are exposed to the risk of adversarial attacks via the fast gradient sign method (FGSM), projected gradient descent (PGD) attacks, and other attack algorithms. Adversarial training is one of the methods used to defend against the threat of adversarial attacks. It is a training schema that utilizes an alternative objective function to provide model generalization for both adversarial data and clean data. In this systematic review, we focus particularly on adversarial training as a method of improving the defensive capacities and robustness of machine learning models. Specifically, we focus on adversarial sample accessibility through adversarial sample generation methods. The purpose of this systematic review is to survey state-of-the-art adversarial training and robust optimization methods to identify the research gaps within this field of applications. The literature search was conducted using Engineering Village (Engineering Village is an engineering literature search tool, which provides access to 14 engineering literature and patent databases), where we collected 238 related papers. The papers were filtered according to defined inclusion and exclusion criteria, and information was extracted from these papers according to a defined strategy. A total of 78 papers published between 2016 and 2021 were selected. Data were extracted and categorized using a defined strategy, and bar plots and comparison tables were used to show the data distribution. The findings of this review indicate that there are limitations to adversarial training methods and robust optimization. The most common problems are related to data generalization and overfitting.
27
Li, Xinyu, Shaogang Dai, and Zhijin Zhao. "Unsupervised Learning-Based Spectrum Sensing Algorithm with Defending Adversarial Attacks." Applied Sciences 13, no. 16 (August 9, 2023): 9101. http://dx.doi.org/10.3390/app13169101.
Full textAbstract:
Although the spectrum sensing algorithms based on deep learning have achieved remarkable detection performance, the sensing performance is easily affected by adversarial attacks due to the fragility of neural networks. Even slight adversarial perturbations lead to a sharp deterioration of the model detection performance. To enhance the defense capability of the spectrum sensing model against such attacks, an unsupervised learning-based spectrum sensing algorithm with defending adversarial attacks (USDAA) is proposed, which is divided into two stages: adversarial pre-training and fine-tuning. In the adversarial pre-training stage, encoders are used to extract the features of adversarial samples and clean samples, respectively, and then decoders are used to reconstruct the samples, and comparison loss and reconstruction loss are designed to optimize the network parameters. It can reduce the dependence of model training on labeled samples and improve the robustness of the model to attack perturbations. In the fine-tuning stage, a small number of adversarial samples are used to fine-tune the pre-trained encoder and classification layer to obtain the spectrum sensing defense model. The experimental results show that the USDAA algorithm is better than the denoising autoencoder and distillation defense algorithm (DAED) against FGSM and PGD adversarial attacks. The number of labeled samples used in USDAA is only 11% of the DAED. When the false alarm probability is 0.1 and the SNR is −10 dB, the detection probability of the USDAA algorithm for the fast gradient sign method (FGSM) and the projected gradient descent (PGD) attack samples with random perturbations is above 88%, while the detection probability of the DAED algorithm for both attack samples is lower than 69%. Additionally, the USDAA algorithm has better robustness to attack with unknown perturbations.
28
Zhu, Min-Ling, Liang-Liang Zhao, and Li Xiao. "Image Denoising Based on GAN with Optimization Algorithm." Electronics 11, no. 15 (August 5, 2022): 2445. http://dx.doi.org/10.3390/electronics11152445.
Full textAbstract:
Image denoising has been a knotty issue in the computer vision field, although the developing deep learning technology has brought remarkable improvements in image denoising. Denoising networks based on deep learning technology still face some problems, such as in their accuracy and robustness. This paper constructs a robust denoising network based on a generative adversarial network (GAN). Since the neural network has the phenomena of gradient dispersion and feature disappearance, the global residual is added to the autoencoder in the generator network, to extract and learn the features of the input image, so as to ensure the stability of the network. On this basis, we proposed an optimization algorithm (OA), to train and optimize the mean and variance of noise on each node of the generator. Then the robustness of the denoising network was improved through back propagation. Experimental results showed that the model’s denoising effect is remarkable. The accuracy of the proposed model was over 99% in the MNIST data set and over 90% in the CIFAR10 data set. The peak signal to noise ratio (PSNR) and structural similarity (SSIM) values of the proposed model were better than the state-of-the-art models in the BDS500 data set. Moreover, an anti-interference test of the model showed that the defense capacities of both the fast gradient sign method (FGSM) and project gradient descent (PGD) attacks were significantly improved, with PSNR and SSIM values decreased by less than 2%.
29
Lee , Jungeun, and Hoeseok Yang . "Performance Improvement of Image-Reconstruction-Based Defense against Adversarial Attack." Electronics 11, no. 15 (July 28, 2022): 2372. http://dx.doi.org/10.3390/electronics11152372.
Full textAbstract:
Deep Neural Networks (DNNs) used for image classification are vulnerable to adversarial examples, which are images that are intentionally generated to predict an incorrect output for a deep learning model. Various defense methods have been proposed to defend against such adversarial attacks, among which, image-reconstruction-based defense methods, such as DIPDefend, are known to be effective in getting rid of the adversarial perturbations injected in the image. However, this image-reconstruction-based defense approach suffers from a long execution time due to its iterative and time-consuming image reconstruction. The trade-off between the execution time and the robustness/accuracy of the defense method should be carefully explored, which is the main focus of this paper. In this work, we aim to improve the execution time of the existing state-of-the-art image-reconstruction-based defense method, DIPDefend, against the Fast Gradient Sign Method (FGSM). In doing so, we propose to take the input-specific properties into consideration when deciding the stopping point of the image reconstruction of DIPDefend. For that, we first applied a low-pass filter to the input image with various kernel sizes to make a prediction of the true label. Then, based on that, the parameters of the image reconstruction procedure were adaptively chosen. Experiments with 500 randomly chosen ImageNet validation set images show that we can obtain an approximately 40% improvement in execution time while keeping the accuracy drop as small as 0.4–3.9%.
30
Wu, Fei, Wenxue Yang, Limin Xiao, and Jinbin Zhu. "Adaptive Wiener Filter and Natural Noise to Eliminate Adversarial Perturbation." Electronics 9, no. 10 (October 3, 2020): 1634. http://dx.doi.org/10.3390/electronics9101634.
Full textAbstract:
Deep neural network has been widely used in pattern recognition and speech processing, but its vulnerability to adversarial attacks also proverbially demonstrated. These attacks perform unstructured pixel-wise perturbation to fool the classifier, which does not affect the human visual system. The role of adversarial examples in the information security field has received increased attention across a number of disciplines in recent years. An alternative approach is “like cures like”. In this paper, we propose to utilize common noise and adaptive wiener filtering to mitigate the perturbation. Our method includes two operations: noise addition, which adds natural noise to input adversarial examples, and adaptive wiener filtering, which denoising the images in the previous step. Based on the study of the distribution of attacks, adding natural noise has an impact on adversarial examples to a certain extent and then they can be removed through adaptive wiener filter, which is an optimal estimator for the local variance of the image. The proposed improved adaptive wiener filter can automatically select the optimal window size between the given multiple alternative windows based on the features of different images. Based on lots of experiments, the result demonstrates that the proposed method is capable of defending against adversarial attacks, such as FGSM (Fast Gradient Sign Method), C&W, Deepfool, and JSMA (Jacobian-based Saliency Map Attack). By compared experiments, our method outperforms or is comparable to state-of-the-art methods.
31
Bhandari, Mohan, Tej Bahadur Shahi, and Arjun Neupane. "Evaluating Retinal Disease Diagnosis with an Interpretable Lightweight CNN Model Resistant to Adversarial Attacks." Journal of Imaging 9, no. 10 (October 11, 2023): 219. http://dx.doi.org/10.3390/jimaging9100219.
Full textAbstract:
Optical Coherence Tomography (OCT) is an imperative symptomatic tool empowering the diagnosis of retinal diseases and anomalies. The manual decision towards those anomalies by specialists is the norm, but its labor-intensive nature calls for more proficient strategies. Consequently, the study recommends employing a Convolutional Neural Network (CNN) for the classification of OCT images derived from the OCT dataset into distinct categories, including Choroidal NeoVascularization (CNV), Diabetic Macular Edema (DME), Drusen, and Normal. The average k-fold (k = 10) training accuracy, test accuracy, validation accuracy, training loss, test loss, and validation loss values of the proposed model are 96.33%, 94.29%, 94.12%, 0.1073, 0.2002, and 0.1927, respectively. Fast Gradient Sign Method (FGSM) is employed to introduce non-random noise aligned with the cost function’s data gradient, with varying epsilon values scaling the noise, and the model correctly handles all noise levels below 0.1 epsilon. Explainable AI algorithms: Local Interpretable Model-Agnostic Explanations (LIME) and SHapley Additive exPlanations (SHAP) are utilized to provide human interpretable explanations approximating the behaviour of the model within the region of a particular retinal image. Additionally, two supplementary datasets, namely, COVID-19 and Kidney Stone, are assimilated to enhance the model’s robustness and versatility, resulting in a level of precision comparable to state-of-the-art methodologies. Incorporating a lightweight CNN model with 983,716 parameters, 2.37×108 floating point operations per second (FLOPs) and leveraging explainable AI strategies, this study contributes to efficient OCT-based diagnosis, underscores its potential in advancing medical diagnostics, and offers assistance in the Internet-of-Medical-Things.
32
Su, Guanpeng. "Analysis of the attack effect of adversarial attacks on machine learning models." Applied and Computational Engineering 6, no. 1 (June 14, 2023): 1212–18. http://dx.doi.org/10.54254/2755-2721/6/20230607.
Full textAbstract:
The use of neural networks has produced outstanding results in a variety of domains, including computer vision and text mining. Numerous investigations in recent years have shown that using adversarial attacks technology to perturb the input samples weakly can mislead most mainstream neural network models, for example Fully Connected Neural Networks (FCNN) and Convolutional Neural Networks (CNN), to make wrong judgment results. Adversarial attacks can help researchers discover the potential defects of neural network models in terms of robustness and security so that people can comprehend the neural network models' learning process better and solve the neural network models' interpretability. However, suppose an adversarial attack is performed on a non-deep learning model. In that case, the results are very different from the deep learning model. This paper first briefly outlines the existing adversarial example technology; then selects the CIFAR10 dataset as the test data and LeNet, ResNet18, and VGG16 as the test model according to the technical principle; then uses the Fast Gradient Sign Attack (FGSM) method to conduct attack experiments with the CNNs and traditional machine learning algorithms like K-Nearest Neighbors (KNN) and Support Vector Machine (SVM); then analyze the experimental results and find that the adversarial example technology is specific to the deep learning model, but it cannot be completely denied that adversarial examples have no attack effect on traditional machine learning models.
33
Huang, Bowen, Ruoheng Feng, and Jiahao Yuan. "Exploiting ensembled neural network model for social platform rumor detection." Applied and Computational Engineering 20, no. 1 (October 23, 2023): 231–39. http://dx.doi.org/10.54254/2755-2721/20/20231103.
Full textAbstract:
With the spread of the internet and social media, it has become difficult to detect rumors from the vast amount of event information. In order to improve the accuracy of rumor detection, deep learning neural network models are often used in rumor detection tasks. First, this paper reproduces the rumor detection experiments of four single neural network models: Long Short-term Memory Networks (LSTM), Text Convolutional Neural Networks (TextCNN), Text Recurrent Neural Network with Attention Mechanism (TextRNN_Att), and Transformer. On this basis, a model based on pre-trained feature extractor and ensemble learning is proposed, and a weighted average ensemble algorithm is adopted. The results show that the rumor-detecting ensemble learning model is better than the single model in all indicators. Then, aiming at the problem that the weighted average ensemble method cannot determine the optimal ensemble parameters, this paper proposes to improve the adaptive ensemble model. Multilayer Perceptron (MLP) is selected as the metamodel, and the weight parameters are automatically trained finetuning on the predicted output of the base model by weighted summation and MLP neural network is used, which improves the traditional integrated weighted average model and realizes the function of automatic weight adjustment. Finally, the Fast Gradient Sign Method (FGSM) algorithm is used to train the model adversarily. The results show that the ensemble model after adversarial training obtains stronger generalization, robustness and attack resistance under the premise of ensuring that the classification performance is not reduced.
34
Kwon, Hyun. "MedicalGuard: U-Net Model Robust against Adversarially Perturbed Images." Security and Communication Networks 2021 (August 9, 2021): 1–8. http://dx.doi.org/10.1155/2021/5595026.
Full textAbstract:
Deep neural networks perform well for image recognition, speech recognition, and pattern analysis. This type of neural network has also been used in the medical field, where it has displayed good performance in predicting or classifying patient diagnoses. An example is the U-Net model, which has demonstrated good performance in data segmentation, an important technology in the field of medical imaging. However, deep neural networks are vulnerable to adversarial examples. Adversarial examples are samples created by adding a small amount of noise to an original data sample in such a way that to human perception they appear to be normal data but they will be incorrectly classified by the classification model. Adversarial examples pose a significant threat in the medical field, as they can cause models to misidentify or misclassify patient diagnoses. In this paper, I propose an advanced adversarial training method to defend against such adversarial examples. An advantage of the proposed method is that it creates a wide variety of adversarial examples for use in training, which are generated by the fast gradient sign method (FGSM) for a range of epsilon values. A U-Net model trained on these diverse adversarial examples will be more robust to unknown adversarial examples. Experiments were conducted using the ISBI 2012 dataset, with TensorFlow as the machine learning library. According to the experimental results, the proposed method builds a model that demonstrates segmentation robustness against adversarial examples by reducing the pixel error between the original labels and the adversarial examples to an average of 1.45.
35
Haroon, Muhammad Shahzad, and Husnain Mansoor Ali. "Ensemble adversarial training based defense against adversarial attacks for machine learning-based intrusion detection system." Neural Network World 33, no. 5 (2023): 317–36. http://dx.doi.org/10.14311/nnw.2023.33.018.
Full textAbstract:
In this paper, a defence mechanism is proposed against adversarial attacks. The defence is based on an ensemble classifier that is adversarially trained. This is accomplished by generating adversarial attacks from four different attack methods, i.e., Jacobian-based saliency map attack (JSMA), projected gradient descent (PGD), momentum iterative method (MIM), and fast gradient signed method (FGSM). The adversarial examples are used to identify the robust machine-learning algorithms which eventually participate in the ensemble. The adversarial attacks are divided into seen and unseen attacks. To validate our work, the experiments are conducted using NSLKDD, UNSW-NB15 and CICIDS17 datasets. Grid search for the ensemble is used to optimise results. The parameter used for performance evaluations is accuracy, F1 score and AUC score. It is shown that an adversarially trained ensemble classifier produces better results.
36
Shi, Lin, Teyi Liao, and Jianfeng He. "Defending Adversarial Attacks against DNN Image Classification Models by a Noise-Fusion Method." Electronics 11, no. 12 (June 8, 2022): 1814. http://dx.doi.org/10.3390/electronics11121814.
Full textAbstract:
Adversarial attacks deceive deep neural network models by adding imperceptibly small but well-designed attack data to the model input. Those attacks cause serious problems. Various defense methods have been provided to defend against those attacks by: (1) providing adversarial training according to specific attacks; (2) denoising the input data; (3) preprocessing the input data; and (4) adding noise to various layers of models. Here we provide a simple but effective Noise-Fusion Method (NFM) to defend adversarial attacks against DNN image classification models. Without knowing any details about attacks or models, NFM not only adds noise to the model input at run time, but also to the training data at training time. Two l∞-attacks, the Fast Gradient Signed Method (FGSM) and the Projected Gradient Descent (PGD), and one l1-attack, the Sparse L1 Descent (SLD), are applied to evaluate defense effects of the NFM on various deep neural network models which used MNIST and CIFAR-10 datasets. Various amplitude noises with different statistical distribution are applied to show the defense effects of the NFM in different noise. The NFM also compares with an adversarial training method on MNIST and CIFAR-10 datasets. Results show that adding noise to the input images and the training images not only defends against all three adversarial attacks but also improves robustness of corresponding models. The results indicate possibly generalized defense effects of the NFM which can extend to other adversarial attacks. It also shows potential application of the NFM to models not only with image input but also with voice or audio input.
37
Sun, Guangling, Yuying Su, Chuan Qin, Wenbo Xu, Xiaofeng Lu, and Andrzej Ceglowski. "Complete Defense Framework to Protect Deep Neural Networks against Adversarial Examples." Mathematical Problems in Engineering 2020 (May 11, 2020): 1–17. http://dx.doi.org/10.1155/2020/8319249.
Full textAbstract:
Although Deep Neural Networks (DNNs) have achieved great success on various applications, investigations have increasingly shown DNNs to be highly vulnerable when adversarial examples are used as input. Here, we present a comprehensive defense framework to protect DNNs against adversarial examples. First, we present statistical and minor alteration detectors to filter out adversarial examples contaminated by noticeable and unnoticeable perturbations, respectively. Then, we ensemble the detectors, a deep Residual Generative Network (ResGN), and an adversarially trained targeted network, to construct a complete defense framework. In this framework, the ResGN is our previously proposed network which is used to remove adversarial perturbations, and the adversarially trained targeted network is a network that is learned through adversarial training. Specifically, once the detectors determine an input example to be adversarial, it is cleaned by ResGN and then classified by the adversarially trained targeted network; otherwise, it is directly classified by this network. We empirically evaluate the proposed complete defense on ImageNet dataset. The results confirm the robustness against current representative attacking methods including fast gradient sign method, randomized fast gradient sign method, basic iterative method, universal adversarial perturbations, DeepFool method, and Carlini & Wagner method.
38
Saxena, Rishabh, Amit Sanjay Adate, and Don Sasikumar. "A Comparative Study on Adversarial Noise Generation for Single Image Classification." International Journal of Intelligent Information Technologies 16, no. 1 (January 2020): 75–87. http://dx.doi.org/10.4018/ijiit.2020010105.
Full textAbstract:
With the rise of neural network-based classifiers, it is evident that these algorithms are here to stay. Even though various algorithms have been developed, these classifiers still remain vulnerable to misclassification attacks. This article outlines a new noise layer attack based on adversarial learning and compares the proposed method to other such attacking methodologies like Fast Gradient Sign Method, Jacobian-Based Saliency Map Algorithm and DeepFool. This work deals with comparing these algorithms for the use case of single image classification and provides a detailed analysis of how each algorithm compares to each other.
39
An, Tong, Tao Zhang, Yanzhang Geng, and Haiquan Jiao. "Normalized Combinations of Proportionate Affine Projection Sign Subband Adaptive Filter." Scientific Programming 2021 (August 26, 2021): 1–12. http://dx.doi.org/10.1155/2021/8826868.
Full textAbstract:
The proportionate affine projection sign subband adaptive filter (PAP-SSAF) has a better performance than the affine projection sign subband adaptive filter (AP-SSAF) when we eliminate the echoes. Still, the robustness of the PAP-SSAF algorithm is insufficient under unknown environmental conditions. Besides, the best balance remains to be found between low steady-state misalignment and fast convergence rate. In order to solve this problem, we propose a normalized combination of PAP-SSAF (NCPAP-SSAF) based on the normalized adaption schema. In this paper, a power normalization adaptive rule for mixing parameters is proposed to further improve the performance of the NCPAP-SSAF algorithm. By using Nesterov’s accelerated gradient (NAG) method, the mixing parameter of the control combination can be obtained with less time consumed when we take the l1-norm of the subband error as the cost function. We also test the algorithmic complexity and memory requirements to illustrate the rationality of our method. In brief, our study contributes a novel adaptive filter algorithm, accelerating the convergence speed, reducing the steady-state error, and improving the robustness. Thus, the proposed method can be utilized to improve the performance of echo cancellation. We will optimize the combination structure and simplify unnecessary calculations to reduce the algorithm’s computational complexity in future research.
40
Hirano, Hokuto, and Kazuhiro Takemoto. "Simple Iterative Method for Generating Targeted Universal Adversarial Perturbations." Algorithms 13, no. 11 (October 22, 2020): 268. http://dx.doi.org/10.3390/a13110268.
Full textAbstract:
Deep neural networks (DNNs) are vulnerable to adversarial attacks. In particular, a single perturbation known as the universal adversarial perturbation (UAP) can foil most classification tasks conducted by DNNs. Thus, different methods for generating UAPs are required to fully evaluate the vulnerability of DNNs. A realistic evaluation would be with cases that consider targeted attacks; wherein the generated UAP causes the DNN to classify an input into a specific class. However, the development of UAPs for targeted attacks has largely fallen behind that of UAPs for non-targeted attacks. Therefore, we propose a simple iterative method to generate UAPs for targeted attacks. Our method combines the simple iterative method for generating non-targeted UAPs and the fast gradient sign method for generating a targeted adversarial perturbation for an input. We applied the proposed method to state-of-the-art DNN models for image classification and proved the existence of almost imperceptible UAPs for targeted attacks; further, we demonstrated that such UAPs can be easily generated.
41
Zhang, Xingyu, Xiongwei Zhang, Xia Zou, Haibo Liu, and Meng Sun. "Towards Generating Adversarial Examples on Combined Systems of Automatic Speaker Verification and Spoofing Countermeasure." Security and Communication Networks 2022 (July 31, 2022): 1–12. http://dx.doi.org/10.1155/2022/2666534.
Full textAbstract:
The security of unprotected automatic speaker verification (ASV) system is vulnerable to a variety of spoofing attacks where an attacker (adversary) disguises him/herself as a specific targeted user. It is a common practice to use spoofing countermeasure (CM) to improve the security of ASV systems so as to avoid illegal access. However, recent studies have shown that both ASV and CM systems are vulnerable to adversarial attacks. Previous researches mainly focus on adversarial attacks on a single ASV or CM system. But in practical scenarios, ASVs are typically deployed in conjunction with CM. In this paper, we investigate attacking the tandem system of ASV and CM with adversarial examples. The joint objective function is designed to restrict the generating process of adversarial examples. The joint gradient of the ASV and CM system is derived to generate adversarial examples. Fast Gradient Sign Method (FSGM) and Projected Gradient Descent (PGD) are utilized to study the vulnerability of tandem verification systems against white-box adversarial attacks. Through our attack, audio samples whose original labels are spoof or nontarget can be successfully accepted by the tandem system. Experimental results on the ASVSpoof2019 dataset show that the tandem system is vulnerable to our proposed attack.
42
Papadopoulos, Pavlos, Oliver Thornewill von Essen, Nikolaos Pitropakis, Christos Chrysoulas, Alexios Mylonas, and William J. Buchanan. "Launching Adversarial Attacks against Network Intrusion Detection Systems for IoT." Journal of Cybersecurity and Privacy 1, no. 2 (April 23, 2021): 252–73. http://dx.doi.org/10.3390/jcp1020014.
Full textAbstract:
As the internet continues to be populated with new devices and emerging technologies, the attack surface grows exponentially. Technology is shifting towards a profit-driven Internet of Things market where security is an afterthought. Traditional defending approaches are no longer sufficient to detect both known and unknown attacks to high accuracy. Machine learning intrusion detection systems have proven their success in identifying unknown attacks with high precision. Nevertheless, machine learning models are also vulnerable to attacks. Adversarial examples can be used to evaluate the robustness of a designed model before it is deployed. Further, using adversarial examples is critical to creating a robust model designed for an adversarial environment. Our work evaluates both traditional machine learning and deep learning models’ robustness using the Bot-IoT dataset. Our methodology included two main approaches. First, label poisoning, used to cause incorrect classification by the model. Second, the fast gradient sign method, used to evade detection measures. The experiments demonstrated that an attacker could manipulate or circumvent detection with significant probability.
43
Ding, Ning, and Knut Möller. "Using adaptive learning rate to generate adversarial images." Current Directions in Biomedical Engineering 9, no. 1 (September 1, 2023): 359–62. http://dx.doi.org/10.1515/cdbme-2023-1090.
Full textAbstract:
Abstract Convolutional neural networks (CNNs) have proved their efficiency in performing image classification tasks, as they can automatically extract the image features and make the corresponding prediction. Meanwhile, the CNNs application is highly challenged by their vulnerability to adversarial samples. These samples are slightly different from the legitimate samples, but the CNN gives wrong classification. There are various ways to find the adversarial samples. The most common method is using backpropagation to generate gradients as the directed perturbation. Contrarily to set a constrained limitation, in this paper, we use iterative fast gradient sign method to generate adversarial images with the minimum perturbation. The CNNs were trained to perform surgical tool recognition as a configuration for the modern operation room. The coefficient or the learning rate which influenced the modification per iteration, was set to be adaptive instead of a fixed number. A few functions were utilized to perform the learning rate decay to compare the performance. Especially, we propose a new adaptive learning rate algorithm that consider the loss as a part of influence factor constitute the learning rate for the rest iterations. According to the experiments, our loss adaptive learning rate method was proved to be efficient to get the minimal perturbations for adversarial attack.
44
Yang, Zhongguo, Irshad Ahmed Abbasi, Fahad Algarni, Sikandar Ali, and Mingzhu Zhang. "An IoT Time Series Data Security Model for Adversarial Attack Based on Thermometer Encoding." Security and Communication Networks 2021 (March 9, 2021): 1–11. http://dx.doi.org/10.1155/2021/5537041.
Full textAbstract:
Nowadays, an Internet of Things (IoT) device consists of algorithms, datasets, and models. Due to good performance of deep learning methods, many devices integrated well-trained models in them. IoT empowers users to communicate and control physical devices to achieve vital information. However, these models are vulnerable to adversarial attacks, which largely bring potential risks to the normal application of deep learning methods. For instance, very little changes even one point in the IoT time-series data could lead to unreliable or wrong decisions. Moreover, these changes could be deliberately generated by following an adversarial attack strategy. We propose a robust IoT data classification model based on an encode-decode joint training model. Furthermore, thermometer encoding is taken as a nonlinear transformation to the original training examples that are used to reconstruct original time series examples through the encode-decode model. The trained ResNet model based on reconstruction examples is more robust to the adversarial attack. Experiments show that the trained model can successfully resist to fast gradient sign method attack to some extent and improve the security of the time series data classification model.
45
Santana, Everton Jose, Ricardo Petri Silva, Bruno Bogaz Zarpelão, and Sylvio Barbon Junior. "Detecting and Mitigating Adversarial Examples in Regression Tasks: A Photovoltaic Power Generation Forecasting Case Study." Information 12, no. 10 (September 26, 2021): 394. http://dx.doi.org/10.3390/info12100394.
Full textAbstract:
With data collected by Internet of Things sensors, deep learning (DL) models can forecast the generation capacity of photovoltaic (PV) power plants. This functionality is especially relevant for PV power operators and users as PV plants exhibit irregular behavior related to environmental conditions. However, DL models are vulnerable to adversarial examples, which may lead to increased predictive error and wrong operational decisions. This work proposes a new scheme to detect adversarial examples and mitigate their impact on DL forecasting models. This approach is based on one-class classifiers and features extracted from the data inputted to the forecasting models. Tests were performed using data collected from a real-world PV power plant along with adversarial samples generated by the Fast Gradient Sign Method under multiple attack patterns and magnitudes. One-class Support Vector Machine and Local Outlier Factor were evaluated as detectors of attacks to Long-Short Term Memory and Temporal Convolutional Network forecasting models. According to the results, the proposed scheme showed a high capability of detecting adversarial samples with an average F1-score close to 90%. Moreover, the detection and mitigation approach strongly reduced the prediction error increase caused by adversarial samples.
46
Pantiukhin, D. V. "Educational and methodological materials of the master class “Adversarial attacks on image recognition neural networks” for students and schoolchildren." Informatics and education 38, no. 1 (April 16, 2023): 55–63. http://dx.doi.org/10.32517/0234-0453-2023-38-1-55-63.
Full textAbstract:
The problem of neural network vulnerability has been the subject of scientific research and experiments for several years. Adversarial attacks are one of the ways to “trick” a neural network, to force it to make incorrect classification decisions. The very possibility of adversarial attack lies in the peculiarities of machine learning of neural networks. The article shows how the properties of neural networks become a source of problems and limitations in their use. The materials of the corresponding researches of the author were used as a basis for the master class “Adversarial attacks on image recognition neural networks”.The article presents the educational materials of the master class: the theoretical background of the class, practical materials (in particular, the attack on a single neuron is described, the fast gradient sign method for attacking a neural network is considered), examples of experiments and calculations (the author uses the convolutional network VGG, Torch and CleverHans libraries), as well as a set of typical errors of students and the teacher’s explanations of how to eliminate these errors. In addition, the result of the experiment is given in the article, and its full code and examples of approbation of the master class materials are available at the above links.The master class is intended for both high school and university students who have learned the basics of neural networks and the Python language, and can also be of practical interest to computer science teachers, to developers of courses on machine learning and artificial intelligence as well as to university teachers.
47
Kumar, P. Sathish, and K. V. D. Kiran. "Momentum Iterative Fast Gradient Sign Algorithm for Adversarial Attacks and Defenses." Research Journal of Engineering and Technology, June 30, 2023, 7–24. http://dx.doi.org/10.52711/2321-581x.2023.00002.
Full textAbstract:
Deep neural networks (DNNs) are particularly vulnerable to adversarial samples when used as machine learning (ML) models. These kinds of samples are typically created by combining real-world samples with low-level sounds so they can mimic and deceive the target models. Since adversarial samples may switch between many models, black-box type attacks can be used in a variety of real-world scenarios. The main goal of this project is to produce an adversarial assault (white box) using PyTorch and then offer a defense strategy as a countermeasure. We developed a powerful offensive strategy known as the MI-FGSM (Momentum Iterative Fast Gradient Sign Method). It can perform better than the I-FGSM because to its adaptation (Iterative Fast Gradient Sign Method). The usage of MI-FGSM will greatly enhance transferability. The other objective of this project is to combine machine learning algorithms with quantum annealing solvers for the execution of adversarial attack and defense. Here, we'll take model-based actions based on the existence of attacks. Finally, we provide the experimental findings to show the validity of the developed attacking method by assessing the strengths of various models as well as the defensive strategies.
48
Naseem, Muhammad Luqman. "Trans-IFFT-FGSM: a novel fast gradient sign method for adversarial attacks." Multimedia Tools and Applications, February 9, 2024. http://dx.doi.org/10.1007/s11042-024-18475-7.
Full text
49
Xie, Pengfei, Shuhao Shi, Shuai Yang, Kai Qiao, Ningning Liang, Linyuan Wang, Jian Chen, Guoen Hu, and Bin Yan. "Improving the Transferability of Adversarial Examples With a Noise Data Enhancement Framework and Random Erasing." Frontiers in Neurorobotics 15 (December 9, 2021). http://dx.doi.org/10.3389/fnbot.2021.784053.
Full textAbstract:
Deep neural networks (DNNs) are proven vulnerable to attack against adversarial examples. Black-box transfer attacks pose a massive threat to AI applications without accessing target models. At present, the most effective black-box attack methods mainly adopt data enhancement methods, such as input transformation. Previous data enhancement frameworks only work on input transformations that satisfy accuracy or loss invariance. However, it does not work for other transformations that do not meet the above conditions, such as the transformation which will lose information. To solve this problem, we propose a new noise data enhancement framework (NDEF), which only transforms adversarial perturbation to avoid the above issues effectively. In addition, we introduce random erasing under this framework to prevent the over-fitting of adversarial examples. Experimental results show that the black-box attack success rate of our method Random Erasing Iterative Fast Gradient Sign Method (REI-FGSM) is 4.2% higher than DI-FGSM in six models on average and 6.6% higher than DI-FGSM in three defense models. REI-FGSM can combine with other methods to achieve excellent performance. The attack performance of SI-FGSM can be improved by 22.9% on average when combined with REI-FGSM. Besides, our combined version with DI-TI-MI-FGSM, i.e., DI-TI-MI-REI-FGSM can achieve an average attack success rate of 97.0% against three ensemble adversarial training models, which is greater than the current gradient iterative attack method. We also introduce Gaussian blur to prove the compatibility of our framework.
50
Zhang, Junjian, Hao Tan, Le Wang, Yaguan Qian, and Zhaoquan Gu. "Rethinking multi‐spatial information for transferable adversarial attacks on speaker recognition systems." CAAI Transactions on Intelligence Technology, March 29, 2024. http://dx.doi.org/10.1049/cit2.12295.
Full textAbstract:
AbstractAdversarial attacks have been posing significant security concerns to intelligent systems, such as speaker recognition systems (SRSs). Most attacks assume the neural networks in the systems are known beforehand, while black‐box attacks are proposed without such information to meet practical situations. Existing black‐box attacks improve transferability by integrating multiple models or training on multiple datasets, but these methods are costly. Motivated by the optimisation strategy with spatial information on the perturbed paths and samples, we propose a Dual Spatial Momentum Iterative Fast Gradient Sign Method (DS‐MI‐FGSM) to improve the transferability of black‐box attacks against SRSs. Specifically, DS‐MI‐FGSM only needs a single data and one model as the input; by extending to the data and model neighbouring spaces, it generates adversarial examples against the integrating models. To reduce the risk of overfitting, DS‐MI‐FGSM also introduces gradient masking to improve transferability. The authors conduct extensive experiments regarding the speaker recognition task, and the results demonstrate the effectiveness of their method, which can achieve up to 92% attack success rate on the victim model in black‐box scenarios with only one known model.