Kassem Kallas scite author profile

Backdoor attacks against CNNs represent a new threat against deep learning systems, due to the possibility of corrupting the training set so to induce an incorrect behaviour at test time. To avoid that the trainer recognises the presence of the corrupted samples, the corruption of the training set must be as stealthy as possible. Previous works have focused on the stealthiness of the perturbation injected into the training samples, however they all assume that the labels of the corrupted samples are also poisoned. This greatly reduces the stealthiness of the attack, since samples whose content does not agree with the label can be identified by visual inspection of the training set or by running a pre-classification step. In this paper we present a new backdoor attack without label poisoning Since the attack works by corrupting only samples of the target class, it has the additional advantage that it does not need to identify beforehand the class of the samples to be attacked at test time. Results obtained on the MNIST digits recognition task and the traffic signs classification task show that backdoor attacks without label poisoning are indeed possible, thus raising a new alarm regarding the use of deep learning in security-critical applications.Index Terms-Adversarial learning, security of deep learning, backdoor poisoning attacks, training with poisoned data.

show abstract

CNN Detection of GAN-Generated Face Images based on Cross-Band Co-occurrences Analysis

Barni

Kallas

Nowroozi

et al. 2020

View full text Add to dashboard Cite

Last-generation GAN models allow to generate synthetic images which are visually indistinguishable from natural ones, raising the need to develop tools to distinguish fake and natural images thus contributing to preserve the trustworthiness of digital images. While modern GAN models can generate very high-quality images with no visibile spatial artifacts, reconstruction of consistent relationships among colour channels is expectedly more difficult. In this paper, we propose a method for distinguishing GAN-generated from natural images by exploiting inconsistencies among spectral bands, with specific focus on the generation of synthetic face images. Specifically, we use cross-band co-occurrence matrices, in addition to spatial cooccurrence matrices, as input to a CNN model, which is trained to distinguish between real and synthetic faces. The results of our experiments confirm the goodness of our approach which outperforms a similar detection technique based on intra-band spatial co-occurrences only. The performance gain is particularly significant with regard to robustness against post-processing, like geometric transformations, filtering and contrast manipulations.

show abstract

On the Transferability of Adversarial Examples against CNN-based Image Forensics

Barni

Kallas

Nowroozi

et al. 2019

View full text Add to dashboard Cite

Recent studies have shown that Convolutional Neural Networks (CNN) are relatively easy to attack through the generation of so called adversarial examples. Such vulnerability also affects CNNbased image forensic tools. Research in deep learning has shown that adversarial examples exhibit a certain degree of transferability, i.e., they maintain part of their effectiveness even against CNN models other than the one targeted by the attack. This is a very strong property undermining the usability of CNN's in security-oriented applications. In this paper, we investigate if attack transferability also holds in image forensics applications. With specific reference to the case of manipulation detection, we analyse the results of several experiments considering different sources of mismatch between the CNN used to build the adversarial examples and the one adopted by the forensic analyst. The analysis ranges from cases in which the mismatch involves only the training dataset, to cases in which the attacker and the forensic analyst adopt different architectures. The results of our experiments show that, in the majority of the cases, the attacks are not transferable, thus easing the design of proper countermeasures at least when the attacker does not have a perfect knowledge of the target detector.

show abstract

Decision fusion with corrupted reports in multi-sensor networks: A game-theoretic approach

Abrardo

Barni

Kallas

et al. 2014

View full text Add to dashboard Cite

Decision fusion in adversarial setting is receiving increasing attention due to its relevance in several applications including sensor networks, cognitive radio, social networks, distributed network monitoring. In most cases, a fusion center has to make a decision based on the reports provided by local agents, e.g. the nodes of a multi-sensor network. In this paper, we consider a setup in which the fusion center makes its decision on the status of an observed system by relying on the decisions made by a pool of local nodes and by taking into account the possibility that some nodes maliciously corrupt their reports to induce a decision error. We do so by casting the problem into a game-theoretic framework and looking for the existence of an equilibrium point defining the optimum strategies for the fusion center and the malicious nodes. We analyze two different strategies for the fusion center: a strategy recently introduced by Varshney et al. in a cognitive radio setup and a new approach based on soft identification of malicious nodes. The superior performance of the new decision scheme are demonstrated by resorting to the game-theoretic framework introduced previously.

show abstract

A Game-Theoretic Framework for Optimum Decision Fusion in the Presence of Byzantines

Abrardo

Barni

Kallas

et al. 2016

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Abstract-Optimum decision fusion in the presence of malicious nodes -often referred to as Byzantines -is hindered by the necessity of exactly knowing the statistical behavior of Byzantines. By focusing on a simple, yet widely studied, set-up in which a Fusion Center (FC) is asked to make a binary decision about a sequence of system states by relying on the possibly corrupted decisions provided by local nodes, we propose a game-theoretic framework which permits to exploit the superior performance provided by optimum decision fusion, while limiting the amount of a-priori knowledge required. We first derive the optimum decision strategy by assuming that the statistical behavior of the Byzantines is known. Then we relax such an assumption by casting the problem into a game-theoretic framework in which the FC tries to guess the behavior of the Byzantines, which, in turn, must fix their corruption strategy without knowing the guess made by the FC. We use numerical simulations to derive the equilibrium of the game, thus identifying the optimum behavior for both the FC and the Byzantines, and to evaluate the achievable performance at the equilibrium. We analyze several different setups, showing that in all cases the proposed solution permits to improve the accuracy of data fusion. We also show that, in some instances, it is preferable for the Byzantines to minimize the mutual information between the status of the observed system and the reports submitted to the FC, rather than always flipping the decision made by the local nodes as it is customarily assumed in previous works.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Kassem Kallas

A New Backdoor Attack in CNNS by Training Set Corruption Without Label Poisoning

CNN Detection of GAN-Generated Face Images based on Cross-Band Co-occurrences Analysis

On the Transferability of Adversarial Examples against CNN-based Image Forensics

Decision fusion with corrupted reports in multi-sensor networks: A game-theoretic approach

A Game-Theoretic Framework for Optimum Decision Fusion in the Presence of Byzantines

Contact Info

Product

Resources

About