On the Vulnerability of Capsule Networks to Adversarial Attacks

Michels, Felix; Uelwer, Tobias; Eric, Upschulte,; Harmeling, Stefan

doi:10.48550/arxiv.1906.03612

Cited by 8 publications

(8 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(i) Fast Gradient Sign Method (FGSM): FGSM is a simple, fast, and singlestep attack type, which can quickly generate adversarial examples. It was first introduced by Goodfellow et al in 2014 [26]. The gradient sign is computed using backpropagation and is quite fast.…”

Section: Adversarial Machine Learningmentioning

confidence: 99%

The Adversarial Security Mitigations of mmWave Beamforming Prediction Models using Defensive Distillation and Adversarial Retraining

Kuzlu¹,

Çatak²,

Cali³

et al. 2022

Preprint

View full text Add to dashboard Cite

The design of a security scheme for beamforming prediction is critical for next-generation wireless networks (5G, 6G, and beyond). However, there is no consensus about protecting the beamforming prediction using deep learning algorithms in these networks. This paper presents the security vulnerabilities in deep learning for beamforming prediction using deep neural networks (DNNs) in 6G wireless networks, which treats the beamforming prediction as a multi-output regression problem. It is indicated that the initial DNN model is vulnerable against adversarial attacks, such as Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Projected Gradient Descent (PGD), and Momentum Iterative Method (MIM), because the initial DNN model is sensitive to the perturbations of the adversarial samples of the training data. This study also offers two mitigation methods, such as adversarial training and defensive distillation, for adversarial attacks against artificial intelligence (AI)-based models used in the millimeter-wave (mmWave) beamforming prediction. Furthermore, the proposed scheme can be used in situations where the data are corrupted due to the adversarial examples in the training data. Experimental results show that the proposed methods effectively defend

show abstract

Section: Adversarial Machine Learningmentioning

confidence: 99%

The Adversarial Security Mitigations of mmWave Beamforming Prediction Models using Defensive Distillation and Adversarial Retraining

Kuzlu¹,

Çatak²,

Cali³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Jaesik [2] gave a variety of successful methods of adversarial attacks on capsule network. Michels et al [3] proved that the ability of capsule network to resist white-box attacks isn't better than traditional CNNs. Marchisio et al [4] designed a black-box attack algorithm against capsule network and verified its effectiveness on German Traffic Sign Recognition Benchmark (GTSRB).…”

Section: Security Threats Of Capsule Networkmentioning

confidence: 99%

“…Based on abstraction, it further analyzes the spatial relationship between features in order to promote the reliability of classification. However, recent studies have found that capsule network is also facing security threats [2][3][4][5]. These studies focus on capsule networks based on dynamic routing.…”

Section: Introductionmentioning

confidence: 99%

An Evasion Attack against Stacked Capsule Autoencoder

Dai¹,

Xiong²

2022

Algorithms

View full text Add to dashboard Cite

Capsule networks are a type of neural network that use the spatial relationship between features to classify images. By capturing the poses and relative positions between features, this network is better able to recognize affine transformation and surpass traditional convolutional neural networks (CNNs) when handling translation, rotation, and scaling. The stacked capsule autoencoder (SCAE) is a state-of-the-art capsule network that encodes an image in capsules which each contain poses of features and their correlations. The encoded contents are then input into the downstream classifier to predict the image categories. Existing research has mainly focused on the security of capsule networks with dynamic routing or expectation maximization (EM) routing, while little attention has been given to the security and robustness of SCAEs. In this paper, we propose an evasion attack against SCAEs. After a perturbation is generated based on the output of the object capsules in the model, it is added to an image to reduce the contribution of the object capsules related to the original category of the image so that the perturbed image will be misclassified. We evaluate the attack using an image classification experiment on the Mixed National Institute of Standards and Technology Database (MNIST), Fashion-MNIST, and German Traffic Sign Recognition Benchmark (GTSRB) datasets, and the average attack success rate can reach 98.6%. The experimental results indicate that the attack can achieve high success rates and stealthiness. This finding confirms that the SCAE has a security vulnerability that allows for the generation of adversarial samples. Our work seeks to highlight the threat of this attack and focus attention on SCAE’s security.

show abstract

“…The challenge posed by the pooling layer is less trivial when classifying the whole image, but extremely challenging when performing image segmentation or object detection which requires preservation of pose (position, orientation, size, hue, albedo, etc.) [7].…”

Section: Introduction Convolution Neural Network Has Been Successful ...mentioning

confidence: 99%

Security Analysis of Capsule Network Inference using Horizontal Collaboration

Adeyemo¹,

Khalid²,

Odetola³

et al. 2021

Preprint

View full text Add to dashboard Cite

The traditional convolution neural networks (CNN) have several drawbacks like the "Picasso effect" and the loss of information by the pooling layer. The Capsule network (CapsNet) was proposed to address these challenges because its architecture can encode and preserve the spatial orientation of input images. Similar to traditional CNNs, CapsNet is also vulnerable to several malicious attacks, as studied by several researchers in the literature. However, most of these studies focus on singledevice-based inference, but horizontally collaborative inference in state-of-the-art systems, like intelligent edge services in selfdriving cars, voice controllable systems, and drones, nullify most of these analyses. Horizontal collaboration implies partitioning the trained CNN models or CNN tasks to multiple end devices or edge nodes. Therefore, it is imperative to examine the robustness of the CapsNet against malicious attacks when deployed in horizontally collaborative environments. Towards this, we examine the robustness of the CapsNet when subjected to noise-based inference attacks in a horizontal collaborative environment. In this analysis, we perturbed the feature maps of the different layers of four DNN models, i.e., CapsNet, mini-VGGNet, LeNet, and an in-house designed CNN (ConvNet) with the same number of parameters as CapsNet, using two types of noised-based attacks, i.e., Gaussian Noise Attack and FGSM noise attack. The experimental results show that similar to the traditional CNNs, depending upon the attacker's access to the DNN layer, the classification accuracy of the CapsNet drops significantly. For example, when Gaussian Noise Attack classification is performed at the Digit-cap layer of the CapsNet, the maximum classification accuracy drop is approximately 97%. Similarly, the maximum classification accuracy drop is 90.1% when an FGSM noise attack is performed at the Conv layer of the CapsNet.

show abstract

On the Vulnerability of Capsule Networks to Adversarial Attacks

Cited by 8 publications

References 0 publications

The Adversarial Security Mitigations of mmWave Beamforming Prediction Models using Defensive Distillation and Adversarial Retraining

The Adversarial Security Mitigations of mmWave Beamforming Prediction Models using Defensive Distillation and Adversarial Retraining

An Evasion Attack against Stacked Capsule Autoencoder

Security Analysis of Capsule Network Inference using Horizontal Collaboration

Contact Info

Product

Resources

About