Seeing isn't Believing

Zhao, Yiqiang; Zhu, Hong; Liang, Ruigang; Shen, Qintao; Zhang, Shengzhi; Chen, Kai

doi:10.1145/3319535.3354259

Cited by 122 publications

(63 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They model this as a closed-loop system, and design an algorithm that searches the input space of the classifier to find sets of inputs that are misclassified. In [113], Zhao et al devise a new methodology for generating adversarial examples to trick machine learning based object detectors. They perform two types of attacks: a hiding attack where the object is not recognized, and an appearing attack where the object is classified incorrectly.…”

Section: Signal Injection Attacks: Known Attacksmentioning

confidence: 99%

See 1 more Smart Citation

Security and Privacy in the Emerging Cyber-Physical World: A Survey

Kaplan

Yan

et al. 2021

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

With the emergence of low-cost smart and connected IoT devices, the area of cyber-physical security is becoming increasingly important. Past research has demonstrated new threat vectors targeting the transition process between the cyber and physical domains, where the attacker exploits the sensing system as an attack surface for signal injection or extraction of private information. Recently, there have been attempts to characterize an abstracted model for signal injection, but they primarily focus on the path of signal processing. This paper aims to systematize the existing research on security and privacy problems arising from the interaction of cyber world and physical world, with the context of broad CPS applications. The primary goals of the systematization are to (1) reveal the attack patterns and extract a general attack model of existing work, (2) understand possible new attacks, and (3) motivate development of defenses against the emerging cyber-physical threats.

show abstract

Section: Signal Injection Attacks: Known Attacksmentioning

confidence: 99%

“…However, given the ease deployment, these defenses are favored for real-world implementations. [92], [110], [111], [114], [113]…”

Section: Application-domain Defensementioning

confidence: 99%

Security and Privacy in the Emerging Cyber-Physical World: A Survey

Kaplan

Yan

et al. 2021

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

show abstract

“…Adversarial attacks on object detectors have also received extensive attention [6][7][8][9][10][11]. Adversarial patch attacks on object detectors (unlike traditional camouflage that evades detection of object detectors by placing camouflage nets to cover important objects) are being explored to achieve concealment of important objects, such as aircraft (simple production method and low production cost), by deceiving object detectors and guiding them to make incorrect decisions [12][13][14].…”

Section: Introductionmentioning

confidence: 99%

“…Currently, research on adversarial patch attacks in terms of object detectors is mainly conducted on natural images [12][13][14][15]. These attack methods usually generate a fixed-size adversarial patch to attack an object detector.…”

Section: Introductionmentioning

confidence: 99%

Scale-Adaptive Adversarial Patch Attack for Remote Sensing Image Aircraft Detection

Chen

et al. 2021

Remote Sensing

View full text Add to dashboard Cite

With the adversarial attack of convolutional neural networks (CNNs), we are able to generate adversarial patches to make an aircraft undetectable by object detectors instead of covering the aircraft with large camouflage nets. However, aircraft in remote sensing images (RSIs) have the problem of large variations in scale, which can easily cause size mismatches between an adversarial patch and an aircraft. A small adversarial patch has no attack effect on large aircraft, and a large adversarial patch will completely cover small aircraft so that it is impossible to judge whether the adversarial patch has an attack effect. Therefore, we propose the adversarial attack method Patch-Noobj for the problem of large-scale variation in aircraft in RSIs. Patch-Noobj adaptively scales the width and height of the adversarial patch according to the size of the attacked aircraft and generates a universal adversarial patch that can attack aircraft of different sizes. In the experiment, we use the YOLOv3 detector to verify the effectiveness of Patch-Noobj on multiple datasets. The experimental results demonstrate that our universal adversarial patches are well adapted to aircraft of different sizes on multiple datasets and effectively reduce the Average Precision (AP) of the YOLOv3 detector on the DOTA, NWPU VHR-10, and RSOD datasets by 48.2%, 23.9%, and 20.2%, respectively. Moreover, the universal adversarial patch generated on one dataset is also effective in attacking aircraft on the remaining two datasets, while the adversarial patch generated on YOLOv3 is also effective in attacking YOLOv5 and Faster R-CNN, which demonstrates the attack transferability of the adversarial patch.

show abstract

“…Attackers could fast generate adversarial examples by using the gradient of loss function for deep network, then viewing implementing attack as an optimization problem and construct powerful adversarial examples with different distortion metric. Recent studies 6–8 show that adversarial attacks can be implemented in physical scenarios, which gives rise to severe safety issues. Hence, defending against adversarial attacks has emerged as a critical factor in artificial intelligence security.…”

Section: Introductionmentioning

confidence: 99%

Detection defense against adversarial attacks with saliency map

Chen

Liu

et al. 2021

Int J of Intelligent Sys

View full text Add to dashboard Cite

It is well established that neural networks are vulnerable to adversarial examples, which are almost imperceptible on human vision and can cause the deep models misbehave. Such phenomenon may lead to severely inestimable consequences in the safety and security critical applications. Existing defenses are trend to harden the robustness of models against adversarial attacks, for example, adversarial training technology. However, these are usually intractable to implement due to the high cost of retraining and the cumbersome operations of altering the model architecture or parameters. In this paper, we discuss the saliency map method from the view of enhancing model interpretability, it is similar to introducing the mechanism of the attention to the model, so as to comprehend the progress of object identification by the deep networks. We then propose a novel method combined with additional noises and utilize the inconsistency strategy to detect adversarial examples. Our experimental results of some representative adversarial attacks on common data sets including ImageNet and popular models show that our method can detect all the attacks with high detection success rate effectively. We compare it with the existing state‐of‐the‐art technique, and the experiments indicate that our method is more general.

show abstract

Seeing isn't Believing

Cited by 122 publications

References 26 publications

Security and Privacy in the Emerging Cyber-Physical World: A Survey

Security and Privacy in the Emerging Cyber-Physical World: A Survey

Scale-Adaptive Adversarial Patch Attack for Remote Sensing Image Aircraft Detection

Detection defense against adversarial attacks with saliency map

Contact Info

Product

Resources

About