Adversarial Example Attacks in the Physical World

Ren, Huali; Huang, Teng

doi:10.1007/978-3-030-62460-6_51

Cited by 7 publications

(3 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All detailed results are provided on our companion website [55]. Using other adversarial attacks, such as the fast gradient sign method (FGSM) [36] and iterative FGSM (i-FGSM) [73], will give the same conclusion.…”

Section: Threats To Validitymentioning

confidence: 94%

DRE: density-based data selection with entropy for adversarial-robust deep learning models

Guo

Cordy

et al. 2022

Neural Comput & Applic

View full text Add to dashboard Cite

Active learning helps software developers reduce the labeling cost when building high-quality machine learning models. A core component of active learning is the acquisition function that determines which data should be selected to annotate.State-of-the-art (SOTA) acquisition functions focus on clean performance (e.g. accuracy) but disregard robustness (an important quality property), leading to fragile models with negligible robustness (less than 0.20%). In this paper, we first propose to integrate adversarial training into active learning (adversarial-robust active learning, ARAL) to produce robust models. Our empirical study on 11 acquisition functions and 15105 trained deep neural networks (DNNs) shows that ARAL can produce models with robustness ranging from 2.35% to 63.85%. Our study also reveals, however, that the acquisition functions that perform well on accuracy are worse than random sampling when it comes to robustness. Via examining the reasons behind this, we devise the density-based robust sampling with entropy (DRE) to target both clean performance and robustness. The core idea of DRE is to maintain a balance between selected data and the entire set based on the entropy density distribution. DRE outperforms SOTA functions in terms of robustness by up to 24.40%, while remaining competitive on accuracy. Additionally, the in-depth evaluation shows that DRE is applicable as a test selection metric for model retraining and stands out from all compared functions by up to 8.21% robustness.

show abstract

Section: Threats To Validitymentioning

confidence: 94%

DRE: density-based data selection with entropy for adversarial-robust deep learning models

Guo

Cordy

et al. 2022

Neural Comput & Applic

View full text Add to dashboard Cite

show abstract

“…Physical Attacks on Sensing: Existing physical attack methods can be mainly summarized into three categories based on their sensing modality: (1) Camera: Many attacks on cameras use physical patterns to spoof recognition or classification, such as special stickers [37], [33], [77], T-shirts [88], or posters [86]. (2) Lidar: Most approaches are achieved by placing objects with special geometric shapes [69], [26], [25], [80], [63] to spoof the segmentation or recognition models. (3) Microphone: Most approaches use speakers to play unusual noises over-the-air to make the Automatic Speech Recognition unable to distinguish or misunderstand voice commands [68], [28], [87], [23].…”

Section: Related Workmentioning

confidence: 99%

MetaWave: Attacking mmWave Sensing with Meta-material-enhanced Tags

Chen¹,

Li²,

Chen³

et al. 2023

Proceedings 2023 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Millimeter-wave (mmWave) sensing has been applied in many critical applications, serving millions of thousands of people around the world. However, it is vulnerable to attacks in the real world. These attacks are based on expensive and professional radio frequency (RF) modulator-based instruments and can be prevented by conventional practice (e.g., RF fingerprint). In this paper, we propose and design a novel passive mmWave attack, called MetaWave, with low-cost and easily obtainable meta-material tags for both vanish and ghost attack types. These meta-material tags are made of commercial offthe-shelf (COTS) materials with customized tag designs to attack various goals, which considerably low the attack bar on mmWave sensing. Specifically, we demonstrate that tags made of ordinal material (e.g., C-RAM LF) can be leveraged to precisely tamper the mmWave echo signal and spoof the range, angle, and speed sensing measurements. Besides, to optimize the attack, a general simulator-based MetaWave attack framework is proposed and designed to simulate the tag modulation effects on the mmWave signal with advanced tag and scene parameters. We evaluate, MetaWave, the meta-material tag attack in both simulation and real-world experiments (i.e., 20 different environments) with various attack settings. Experimental results demonstrate that MetaWave can achieve up to 97% Top-1 attack accuracy on range estimation, 96% on angle estimation, and 91% on speed estimation in actual practice, 10-100X cheaper than existing mmWave attack methods. We also evaluate the usability and robustness of MetaWave under different real-world scenarios. Moreover, we conduct in-depth analysis and discussion on countermeasures for MetaWave mmWave attacks to improve wireless sensing and cyber-infrastructure security.

show abstract

“…With the digital proliferation, increasingly sophisticated attack strategies are emerging to take the offensive against Deep Neural Networks (DNNs). A thorough investigation has been conducted on the vulnerability of DNNs to various malicious attacks capable of creating adversarial examples with the goal of breaking the prediction of DNNs [30]. There are two major categories of these attacks: [31].…”

Section: White-box Adversarial Attacksmentioning

confidence: 99%

Robust Federated Learning Against Adversarial Attacks for Speech Emotion Recognition

Chen¹,

Sofiane²,

Zhao³

et al. 2022

Preprint

View full text Add to dashboard Cite

Due to the development of machine learning and speech processing, speech emotion recognition has been a popular research topic in recent years. However, the speech data cannot be protected when it is uploaded and processed on servers in the internet-of-things applications of speech emotion recognition. Furthermore, deep neural networks have proven to be vulnerable to human-indistinguishable adversarial perturbations. The adversarial attacks generated from the perturbations may result in deep neural networks wrongly predicting the emotional states. We propose a novel federated adversarial learning framework for protecting both data and deep neural networks. The proposed framework consists of i) federated learning for data privacy, and ii) adversarial training at the training stage and randomisation at the testing stage for model robustness. The experiments show that our proposed framework can effectively protect the speech data locally and improve the model robustness against a series of adversarial attacks.

show abstract

Adversarial Example Attacks in the Physical World

Cited by 7 publications

References 23 publications

DRE: density-based data selection with entropy for adversarial-robust deep learning models

DRE: density-based data selection with entropy for adversarial-robust deep learning models

MetaWave: Attacking mmWave Sensing with Meta-material-enhanced Tags

Robust Federated Learning Against Adversarial Attacks for Speech Emotion Recognition

Contact Info

Product

Resources

About