CLPA: Clean-Label Poisoning Availability Attacks Using Generative Adversarial Nets

Zhao, Bingyin; Lao, Yingjie

doi:10.1609/aaai.v36i8.20902

Cited by 15 publications

(17 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Shafahi et al [35] constructed the clean-label poisoning data by feature collision and care-fully designed poisoning samples with high similarity to benign samples in the feature space. Zhao et al [36] proposed a poisoning attack method with high stealthiness against image classification models based on generative adversarial networks. Kurita et al [37] proposed a poisoning sample generation method for pre-trained models, which can cause destroy models dealing with different computer vision tasks.…”

Section: Poisoning Attacksmentioning

confidence: 99%

“…Poisoning Attack Settings: To demonstrate the effectiveness of the proposed defense framework against poisoning attacks, we use different poisoning sample generation strategies, including clean-label attack [35], back-gradient attack [38], generative attack [65], feature selection attack [66], transferable clean-label attack [67], and concealed poisoning attack [68]. For different attack methods, we only consider the untargeted attack scenario, which destroys the prediction results of the target model for all categories of pixels.…”

Section: Experimental Setup and Implementation Detailsmentioning

confidence: 99%

See 1 more Smart Citation

Defending against Poisoning Attacks in Aerial Image Semantic Segmentation with Robust Invariant Feature Enhancement

Wang

Zhang

et al. 2023

Remote Sensing

View full text Add to dashboard Cite

The outstanding performance of deep neural networks (DNNs) in multiple computer vision in recent years has promoted its widespread use in aerial image semantic segmentation. Nonetheless, prior research has demonstrated the high susceptibility of DNNs to adversarial attacks. This poses significant security risks when applying DNNs to safety-critical earth observation missions. As an essential means of attacking DNNs, data poisoning attacks destroy model performance by contaminating model training data, allowing attackers to control prediction results by carefully crafting poisoning samples. Toward building a more robust DNNs-based aerial image semantic segmentation model, in this study, we proposed a robust invariant feature enhancement network (RIFENet) that can resist data poisoning attacks and has superior semantic segmentation performance. The constructed RIFENet improves the resistance to poisoning attacks by extracting and enhancing robust invariant features. Specifically, RIFENet uses a texture feature enhancement module (T-FEM), structural feature enhancement module (S-FEM), global feature enhancement module (G-FEM), and multi-resolution feature fusion module (MR-FFM) to enhance the representation of different robust features in the feature extraction process to suppress the interference of poisoning samples. Experiments on several benchmark aerial image datasets demonstrate that the proposed method is more robust and exhibits better generalization than other state-of-the-art methods.

show abstract

Section: Poisoning Attacksmentioning

confidence: 99%

Section: Experimental Setup and Implementation Detailsmentioning

confidence: 99%

Defending against Poisoning Attacks in Aerial Image Semantic Segmentation with Robust Invariant Feature Enhancement

Wang

Zhang

et al. 2023

Remote Sensing

View full text Add to dashboard Cite

show abstract

“…Concern over the ease of DNN model theft has motivated researchers to extend these concepts to deep learning. To this end, researchers have leveraged model poisoning and backdoor attacks as a method of embedding the owner's signature into a model (Zhao and Lao 2022;Li, Wang, and Barni 2021). This induces abnormal outputs for specific inputs that can identify the DNN.…”

Section: Dnn Watermarkingmentioning

confidence: 99%

DeepHardMark: Towards Watermarking Neural Network Hardware

Clements

Lao

2022

AAAI

Self Cite

View full text Add to dashboard Cite

This paper presents a framework for embedding watermarks into DNN hardware accelerators. Unlike previous works that have looked at protecting the algorithmic intellectual properties of deep learning systems, this work proposes a methodology for defending deep learning hardware. Our methodology embeds modifications into the hardware accelerator's functional blocks that can be revealed with the rightful owner's key DNN and corresponding key sample, verifying the legitimate owner. We propose an Lp-box ADMM based algorithm to co-optimize watermark's hardware overhead and impact on the design's algorithmic functionality. We evaluate the performance of the hardware watermarking scheme on popular image classifier models using various accelerator designs. Our results demonstrate that the proposed methodology effectively embeds watermarks while preserving the original functionality of the hardware architecture. Specifically, we can successfully embed watermarks into the deep learning hardware and reliably execute a ResNet ImageNet classifiers with an accuracy degradation of only 0.009%

show abstract

“…Since AoA only modifies the loss function, it can be readily combined with other transferability-enhancing methods to achieve SOTA performance. In study [213], the authors [133] introduces a clean-label approach for the poisoning availability attack, which reveals the intrinsic imperfection of classifiers. Paper [214] highlights how the global reasoning of (scaled) dot-product attention can represent a significant vulnerability when faced with adversarial patch attacks.…”

Section: Black-box Attacksmentioning

confidence: 99%

Benchmarking Adversarial Patch Against Aerial Detection

Lian

Mei

Zhang

et al. 2022

IEEE Trans. Geosci. Remote Sensing

View full text Add to dashboard Cite

Deep neural networks (DNNs) have found widespread applications in interpreting remote sensing (RS) imagery. However, it has been demonstrated in previous works that DNNs are vulnerable to different types of noises, particularly adversarial noises. Surprisingly, there has been a lack of comprehensive studies on the robustness of RS tasks, prompting us to undertake a thorough survey and benchmark on the robustness of image classification and object detection in RS. To our best knowledge, this study represents the first comprehensive examination of both natural robustness and adversarial robustness in RS tasks. Specifically, we have curated and made publicly available datasets that contain natural and adversarial noises. These datasets serve as valuable resources for evaluating the robustness of DNNs-based models. To provide a comprehensive assessment of model robustness, we conducted meticulous experiments with numerous different classifiers and detectors, encompassing a wide range of mainstream methods. Through rigorous evaluation, we have uncovered insightful and intriguing findings, which shed light on the relationship between adversarial noise crafting and model training, yielding a deeper understanding of the susceptibility and limitations of various models, and providing guidance for the development of more resilient and robust models

show abstract

CLPA: Clean-Label Poisoning Availability Attacks Using Generative Adversarial Nets

Cited by 15 publications

References 18 publications

Defending against Poisoning Attacks in Aerial Image Semantic Segmentation with Robust Invariant Feature Enhancement

Defending against Poisoning Attacks in Aerial Image Semantic Segmentation with Robust Invariant Feature Enhancement

DeepHardMark: Towards Watermarking Neural Network Hardware

Benchmarking Adversarial Patch Against Aerial Detection

Contact Info

Product

Resources

About