×

Generating universal adversarial perturbation with ResNet. (English) Zbl 1474.68308

Summary: Adversarial machine learning, as a research area, has received a great deal of attention in recent years. Much of this attention has been devoted to a phenomenon called adversarial perturbation, which is human-imperceptible and can be used to craft adversarial examples. The deep neural networks are vulnerable to adversarial examples, which raises security concerns on learning algorithms due to the potentially severe consequences. It was shown there exist universal perturbations that are image-agnostic can fool the network when added to the majority of images. Since different attack strategies proposed for generating universal perturbation are still suffering from attack success rate, attack efficiency, and transferability. In this paper, we design an attack framework that uses a residual network (ResNet) to create universal perturbation. We introduce a trainable residual network generator that converts random noise into universal adversarial perturbation, which can be used to efficiently generate perturbations for any instance after being trained. Unlike traditional methods, moreover, we use a loss network to guarantee the similarity of images in content. The new generator structure and objective function make our method achieve better attack results than the existing methods. A variety of experiments conducted on the CIFAR-10 dataset reveal that our proposed attack framework constitutes an advance in the creation of universal adversarial perturbation, as it can achieve a success rate of 89%, which outperforms the similar methods, along with low perturbation norms.

MSC:

68T07 Artificial neural networks and deep learning
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] K. He, X. Zhang, S. Ren, J. Sun, Identity Mappings in Deep Residual Networks, arXiv e-prints, p. arXiv:1603.05027, Mar 2016.
[2] T. Durand, N. Mehrasa, G. Mori, Learning a Deep ConvNet for Multi-label Classification with Partial Labels, arXiv e-prints, p. arXiv:1902.09720, Feb 2019.
[3] Mao, Z.; Su, Y.; Xu, G.; Wang, X.; Huang, Y.; Yue, W.; Sun, L.; Xiong, N., Spatio-temporal deep learning method for adhd fmri classification, Inf. Sci., 499, 1-11 (2019)
[4] Islam, J.; Zhang, Y., Early diagnosis of alzheimer’s disease: a neuroimaging study with deep learning architectures, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops (2018)), 1881-1883
[5] Long, J.; Shelhamer, E.; Darrell, T., Fully convolutional networks for semantic segmentation, (Proceedings of the IEEE conference on computer vision and pattern recognition (2015)), 3431-3440
[6] Liu, Z.; Lin, G.; Yang, S.; Liu, F.; Lin, W.; Goh, W. L., Towards robust curve text detection with conditional spatial expansion, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2019)), 7269-7278 · Zbl 1360.62263
[7] Wang, X.; Li, J.; Kuang, X.; Tan, Y.; Li, J., The security of machine learning in an adversarial setting: a survey, J. Parallel Distributed Comput., 130, 12-23 (2019)
[8] Li, T.; Gao, C.; Jiang, L.; Pedrycz, W.; Shen, J., Publicly verifiable privacy-preserving aggregation and its application in IoT, J. Netw. Computer Appl., 126, 39-44 (2019)
[9] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus, Intriguing properties of neural networks, arXiv preprint arXiv:1312.6199, 2013.
[10] I.J. Goodfellow, J. Shlens, C. Szegedy, Explaining and harnessing adversarial examples, arXiv preprint arXiv:1412.6572, 2014.
[11] Carlini, N.; Wagner, D., Towards evaluating the robustness of neural networks, (2017 IEEE Symposium on Security and Privacy (SP) (2017), IEEE), 39-57
[12] K. Reddy Mopuri, U. Garg, R. Venkatesh Babu, Fast Feature Fool: A data independent approach to universal adversarial perturbations, arXiv e-prints, p. arXiv:1707.05572, Jul 2017.
[13] Moosavi-Dezfooli, S.-M.; Fawzi, A.; Fawzi, O.; Frossard, P., Universal adversarial perturbations, (Proceedings of the IEEE conference on computer vision and pattern recognition (2017)), 1765-1773
[14] Moosavi-Dezfooli, S.-M.; Fawzi, A.; Frossard, P., Deepfool a simple and accurate method to fool deep neural networks, (Proceedings of the IEEE conference on computer vision and pattern recognition (2016)), 2574-2582
[15] Dong, Y.; Liao, F.; Pang, T.; Su, H.; Zhu, J.; Hu, X.; Li, J., Boosting adversarial attacks with momentum, (Proceedings of the IEEE conference on computer vision and pattern recognition (2018)), 9185-9193
[16] J. Chen, M.I. Jordan, M.J. Wainwright, HopSkipJumpAttack: A Query-Efficient Decision-Based Attack, arXiv e-prints, p. arXiv:1904.02144, Apr 2019.
[17] Xie, C.; Zhang, Z.; Zhou, Y.; Bai, S.; Wang, J.; Ren, Z.; Yuille, A. L., Improving transferability of adversarial examples with input diversity, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2019)), 2730-2739
[18] J. Zhang, X. Jiang, Adversarial examples: Opportunities and challenges, arXiv preprint arXiv:1809.04790, 2018.
[19] A. Kurakin, I. Goodfellow, S. Bengio, Adversarial examples in the physical world, arXiv preprint arXiv:1607.02533, 2016.
[20] Poursaeed, O.; Katsman, I.; Gao, B.; Belongie, S., Generative adversarial perturbations, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2018)), 4422-4431
[21] C. Xiao, B. Li, J.-Y. Zhu, W. He, M. Liu, D. Song, Generating adversarial examples with adversarial networks, arXiv preprint arXiv:1801.02610, 2018.
[22] Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z. B.; Swami, A., The limitations of deep learning in adversarial settings, (2016 IEEE European Symposium on Security and Privacy (EuroS&P) (2016), IEEE), 372-387
[23] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, Y. Bengio, Generative adversarial nets, in Advances in neural information processing systems, 2014, pp. 2672-2680.
[24] S. Shen, G. Jin, K. Gao, Y. Zhang, Ape-gan: Adversarial perturbation elimination with gan, arXiv preprint arXiv:1707.05474, 2017.
[25] P. Samangouei, M. Kabkab, R. Chellappa, Defense-gan: Protecting classifiers against adversarial attacks using generative models, arXiv preprint arXiv:1805.06605, 2018.
[26] Hayes, J.; Danezis, G., Learning universal adversarial perturbations with generative models, (2018 IEEE Security and Privacy Workshops (SPW) (2018), IEEE), 43-49
[27] Akhtar, N.; Liu, J.; Mian, A., Defense against universal adversarial perturbations, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2018)), 3389-3398
[28] Yuan, X.; He, P.; Zhu, Q.; Li, X., Adversarial examples: attacks and defenses for deep learning, IEEE Trans. Neural Networks Learn. Syst. (2019)
[29] A.S. Suggala, A. Prasad, V. Nagarajan, P. Ravikumar, Revisiting adversarial risk, arXiv preprint arXiv:1806.02924, 2018.
[30] Johnson, J.; Alahi, A.; Fei-Fei, L., Perceptual losses for real-time style transfer and super-resolution, (European conference on computer vision (2016), Springer), 694-711
[31] Zhu, J.-Y.; Park, T.; Isola, P.; Efros, A. A., Unpaired image-to-image translation using cycle-consistent adversarial networks, (Proceedings of the IEEE international conference on computer vision (2017)), 2223-2232
[32] A. Krizhevsky, G. Hinton et al., Learning multiple layers of features from tiny images, Citeseer, Tech. Rep., 2009.
[33] K. Simonyan, A. Zisserman, Very deep convolutional networks for large-scale image recognition, arXiv preprint arXiv:1409.1556, 2014.
[34] He, K.; Zhang, X.; Ren, S.; Sun, J., Deep residual learning for image recognition, (Proceedings of the IEEE conference on computer vision and pattern recognition (2016)), 770-778
[35] Huang, G.; Liu, Z.; Van Der Maaten, L.; Weinberger, K. Q., Densely connected convolutional networks, (Proceedings of the IEEE conference on computer vision and pattern recognition (2017)), 4700-4708
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.