Attack to Fool and Explain Deep Networks

Akhtar, Naveed; Jalwana, Mohammad A. A. K.; Bennamoun, Mohammed; Mian, Ajmal

doi:10.1109/tpami.2021.3083769

Cited by 23 publications

(14 citation statements)

References 69 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, we summarize physical attacks against image classification ( [17], [86], [90]- [93], [156], [162], [164], [165], [167]- [171]) in Table IV.…”

Section: Black-box Attacksmentioning

confidence: 99%

Benchmarking Adversarial Patch Against Aerial Detection

Lian

Mei

Zhang

et al. 2022

IEEE Trans. Geosci. Remote Sensing

View full text Add to dashboard Cite

Deep neural networks (DNNs) have found widespread applications in interpreting remote sensing (RS) imagery. However, it has been demonstrated in previous works that DNNs are vulnerable to different types of noises, particularly adversarial noises. Surprisingly, there has been a lack of comprehensive studies on the robustness of RS tasks, prompting us to undertake a thorough survey and benchmark on the robustness of image classification and object detection in RS. To our best knowledge, this study represents the first comprehensive examination of both natural robustness and adversarial robustness in RS tasks. Specifically, we have curated and made publicly available datasets that contain natural and adversarial noises. These datasets serve as valuable resources for evaluating the robustness of DNNs-based models. To provide a comprehensive assessment of model robustness, we conducted meticulous experiments with numerous different classifiers and detectors, encompassing a wide range of mainstream methods. Through rigorous evaluation, we have uncovered insightful and intriguing findings, which shed light on the relationship between adversarial noise crafting and model training, yielding a deeper understanding of the susceptibility and limitations of various models, and providing guidance for the development of more resilient and robust models

show abstract

“…Finally, we summarize physical attacks against image classification ( [17], [86], [90]- [93], [156], [162], [164], [165], [167]- [171]) in Table IV.…”

Section: Black-box Attacksmentioning

confidence: 99%

Benchmarking Adversarial Patch Against Aerial Detection

Lian

Mei

Zhang

et al. 2022

IEEE Trans. Geosci. Remote Sensing

View full text Add to dashboard Cite

show abstract

“…However, the universal perturbation can still be a noise-like pattern to the human eye when the interpretation is applied. The study [10] proposed that extended universal perturbation can exploit the explainability of models by carefully exploring the decision boundaries of deep models. The authors showed that their attack can be used to interpret the internal working process of DL models.…”

Section: Related Workmentioning

confidence: 99%

“…When an interpreter is adopted with a DL model, the involvement of the adversary can easily be detected (see Figure 1). The main idea of our attack is also based on generating universal perturbation [10]. Unlike those attacks, we consider misleading the interpretability along with classification while generating adversarial samples to increase the robustness and stealthiness of the attack.…”

Section: Related Workmentioning

confidence: 99%

“…Thus, Interpretable Deep Learning Systems (IDLSes) have gained considerable attention, as they provide predictions and interpretations. However, recent studies have demonstrated the feasibility and practicality of creating adversarial examples (AE) that deceive both the target prediction model and its associated interpreters [8], [9], [10], [11], [12]. Consequently, IDLSes cannot guarantee robust security measures for detecting AEs.…”

Section: Introductionmentioning

confidence: 99%

“…Additionally, Figure 2 demonstrates that the employed interpreter can detect previous attacks, even in white-box scenarios. For example, Figure 1 shows that the existing universal perturbation attacks [10] can be detected due to the inconsistencies between the adversarial interpretations and the object of the image, which can be recognized by an "observer." On the other hand, our approach generates adversarial interpretations that are indistinguishable from benign ones, suggesting no manipulation of the input data.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Black-box and Target-specific Attack Against Interpretable Deep Learning Systems

Abdukhamidov

Juraev

Abuhamad

et al. 2022

Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Developing a custom model specifically tailored to address domain-specific problems is crucial for achieving optimal performance. The interpretation of machine learning models plays a pivotal role in this development, aiding domain experts in gaining insights into the internal mechanisms of these models. However, adversarial attacks pose a significant threat to public trust by making interpretations of deep learning models confusing and difficult to understand. In this paper, we present a novel Single-class target-specific ADVersarial attack called SingleADV. The goal of SingleADV is to generate a universal perturbation that deceives the target model into confusing a specific category of objects with a target category while ensuring highly relevant and accurate interpretations. The universal perturbation is stochastically and iteratively optimized by minimizing the adversarial loss that is designed to consider both the classifier and interpreter costs in targeted and non-targeted categories. In this optimization framework, ruled by the first-and second-moment estimations, the desired loss surface promotes high confidence and interpretation score of adversarial samples. By avoiding unintended misclassification of samples from other categories, SingleADV enables more effective targeted attacks on interpretable deep learning systems in both white-box and black-box scenarios. To evaluate the effectiveness of SingleADV, we conduct experiments using four different model architectures (ResNet-50, VGG-16, DenseNet-169, and Inception-V3) coupled with three interpretation models (CAM, Grad, and MASK). Through extensive empirical evaluation, we demonstrate that SingleADV effectively deceives the target deep learning models and their associated interpreters under various conditions and settings. Our experimental results show that the performance of SingleADV is effective, with an average fooling ratio of 0.74 and an adversarial confidence level of 0.78 in generating deceptive adversarial samples. Furthermore, we discuss several countermeasures against SingleADV, including a transfer-based learning approach and existing preprocessing defenses.

show abstract