Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

This paper explores the connection between forensics, counterforensics, steganography and adversarial images. On the one hand, forensicsbased and steganalysis-based detectors help in detecting adversarial perturbations. On the other hand, steganography can be used as a counterforensics strategy and helps in forging adversarial perturbations that are not only invisible to the human eye but also less statistically detectable. This work explains how to use these information hiding tools for attacking or defending computer vision image classification. We play this cat and mouse game using both recent deep-learning content-based classifiers, forensics detectors derived from steganalysis, and steganographic distortions dedicated to color quantized images. It turns out that crafting adversarial perturbations relying on steganographic perturbations is an effective counter-forensics strategy.

show abstract

“…To randomize: At testing, the classifier depends on a secret key or an alea. This blocks pure white-box attacks [37,38].…”

Section: Defensesmentioning

confidence: 98%

Forensics Through Stega Glasses: The Case of Adversarial Images

Bonnet

Furon

Bas

2021

Pattern Recognition. ICPR International Workshops and Challenges

View full text Add to dashboard Cite

show abstract

“…Olga Taran et al propose a novel Key-based Diversified Aggregation method as a defence strategy to handle both grey and black-box adversarial attacks [24]. The randomisation method used in this work prevents backpropagation in gradients, thus confining the adversarial attack to bypass the model.…”

Section: Literature Reviewmentioning

confidence: 99%

Study on Network Virtual Printing Sculpture Design using Artificial Intelligence

Wang

Sirivesmas

2023

Int. j. commun. netw. inf. secur.

View full text Add to dashboard Cite

Sculptures are visionaries of a country’s culture from time immemorial. Chinese sculptures hold an aesthetic value in the global market, catalysed by opening the country's gates. On the other hand, this paved the way for many duplicates and replicates of the original sculptures, defaming the entire artwork. This work proposes a defrauding model that deploys a Siamese-based Convolutional Neural Network (S-CNN) that effectively detects the mimicked sculpture images. Nevertheless, adversarial attacks are gaining momentum, compromising the deep learning models to make predictions for faked or forged images. The work uses a Simplified Graph Convolutional Network (SGCN) to misclassify the adversarial images generated by the Fast Gradient Sign Method (FGSM) to combat this attack. The model's training is done with adversarial images of the Imagenet dataset. By transfer learning, the model is rested for its efficacy in identifying the adversarial examples of the Chinese God images dataset. The results showed that the proposed model could detect the generated adversarial examples with a reasonable misclassification rate.

show abstract

“…Prakash et al proposed using a DNN-based adaptive JPEG encoder to preprocess the input [24]. For randomization or private keying, Taran et al proposed a key-based diversified aggregation mechanism to defend against gray-and black-box adversarial attacks [25]. Several adversarial databases have been independently created for evaluation, but guidelines for creating them have not been reported in detail [11], [17], [23].…”

Section: Introductionmentioning

confidence: 99%

Effects of Image Processing Operations on Adversarial Noise and Their Use in Detecting and Correcting Adversarial Images

Nguyen

Kuribayashi

Yamagishi

et al. 2022

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Deep neural networks (DNNs) have achieved excellent performance on several tasks and have been widely applied in both academia and industry. However, DNNs are vulnerable to adversarial machine learning attacks in which noise is added to the input to change the networks' output. Consequently, DNN-based mission-critical applications such as those used in self-driving vehicles have reduced reliability and could cause severe accidents and damage. Moreover, adversarial examples could be used to poison DNN training data, resulting in corruptions of trained models. Besides the need for detecting adversarial examples, correcting them is important for restoring data and system functionality to normal. We have developed methods for detecting and correcting adversarial images that use multiple image processing operations with multiple parameter values. For detection, we devised a statistical-based method that outperforms the feature squeezing method. For correction, we devised a method that uses for the first time two levels of correction. The first level is label correction, with the focus on restoring the adversarial images' original predicted labels (for use in the current task). The second level is image correction, with the focus on both the correctness and quality of the corrected images (for use in the current and other tasks). Our experiments demonstrated that the correction method could correct nearly 90% of the adversarial images created by classical adversarial attacks and affected only about 2% of the normal images.

show abstract

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

Cited by 10 publications

References 50 publications

Forensics Through Stega Glasses: The Case of Adversarial Images

Forensics Through Stega Glasses: The Case of Adversarial Images

Study on Network Virtual Printing Sculpture Design using Artificial Intelligence

Effects of Image Processing Operations on Adversarial Noise and Their Use in Detecting and Correcting Adversarial Images

Contact Info

Product

Resources

About