Determining Sequence of Image Processing Technique (IPT) to Detect Adversarial Attacks

Developing secure machine learning models from adversarial examples is challenging as various methods are continually being developed to generate adversarial attacks. In this work, we propose an evolutionary approach to automatically determine Image Processing Techniques Sequence (IPTS) for detecting malicious inputs. Accordingly, we first used a diverse set of attack methods including adaptive attack methods (on our defense) to generate adversarial samples from the clean dataset. A detection framework based on a genetic algorithm (GA) is developed to find the optimal IPTS, where the optimality is estimated by different fitness measures such as Euclidean distance, entropy loss, average histogram, local binary pattern and loss functions. The "image difference" between the original and processed images is used to extract the features, which are then fed to a classification scheme in order to determine whether the input sample is adversarial or clean. This paper described our methodology and performed experiments using multiple data-sets tested with several adversarial attacks. For each attack-type and dataset, it generates unique IPTS. A set of IPTS selected dynamically in testing time which works as a filter for the adversarial attack. Our empirical experiments exhibited promising results indicating the approach can efficiently be used as processing for any AI model.

[1]  Richard M. Murray,et al.  Detecting Adversarial Examples via Neural Fingerprinting , 2018, ArXiv.

[2]  Seyed-Mohsen Moosavi-Dezfooli,et al.  DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[3]  Aditi Raghunathan,et al.  Adversarial Training Can Hurt Generalization , 2019, ArXiv.

[4]  Debdeep Mukhopadhyay,et al.  Adversarial Attacks and Defences: A Survey , 2018, ArXiv.

[5]  Matthias Bethge,et al.  Foolbox v0.8.0: A Python toolbox to benchmark the robustness of machine learning models , 2017, ArXiv.

[6]  Oge Marques,et al.  Morphological Image Processing , 2011 .

[7]  David A. Forsyth,et al.  SafetyNet: Detecting and Rejecting Adversarial Examples Robustly , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[8]  Qin Zhiyuan,et al.  A ROBUST ADAPTIVE IMAGE SMOOTHING ALGORITHM , 2006 .

[9]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[10]  Tony R. Martinez,et al.  Reduction Techniques for Instance-Based Learning Algorithms , 2000, Machine Learning.

[11]  Giovanni Ramponi,et al.  The rational filter for image smoothing , 1996, IEEE Signal Processing Letters.

[12]  Tiago H. Falk,et al.  Generalizable Adversarial Examples Detection Based on Bi-model Decision Mismatch , 2018, 2019 IEEE International Conference on Systems, Man and Cybernetics (SMC).

[13]  Ying Cai,et al.  Detecting Adversarial Examples Through Image Transformation , 2018, AAAI.

[14]  Aleksander Madry,et al.  On Evaluating Adversarial Robustness , 2019, ArXiv.

[15]  Tiago H. Falk,et al.  Adversarial Examples Detection Using No-Reference Image Quality Features , 2018, 2018 International Carnahan Conference on Security Technology (ICCST).

[16]  Li Chen,et al.  MetaAdvDet: Towards Robust Detection of Evolving Adversarial Attacks , 2019, ACM Multimedia.

[17]  Ian J. Goodfellow,et al.  Technical Report on the CleverHans v2.1.0 Adversarial Examples Library , 2016 .

[18]  Pan He,et al.  Adversarial Examples: Attacks and Defenses for Deep Learning , 2017, IEEE Transactions on Neural Networks and Learning Systems.

[19]  Dawn Xiaodong Song,et al.  Adversarial Example Defenses: Ensembles of Weak Defenses are not Strong , 2017, ArXiv.

[20]  Patrick D. McDaniel,et al.  On the (Statistical) Detection of Adversarial Examples , 2017, ArXiv.

[21]  Kevin McClaning Radio Receiver Design , 1943, Nature.

[22]  X. Yao,et al.  Analysing crossover operators by search step size , 1997, Proceedings of 1997 IEEE International Conference on Evolutionary Computation (ICEC '97).

[23]  V. J. Wilson,et al.  Specificity of semicircular canal input to neurons in the pigeon vestibular nuclei. , 1972, Journal of Neurophysiology.

[24]  Jun Sun,et al.  Detecting Adversarial Samples for Deep Neural Networks through Mutation Testing , 2018, ArXiv.

[25]  Rama Chellappa,et al.  Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models , 2018, ICLR.

[26]  Esa Rahtu,et al.  BSIF: Binarized statistical image features , 2012, Proceedings of the 21st International Conference on Pattern Recognition (ICPR2012).

[27]  Pushmeet Kohli,et al.  Adversarial Risk and the Dangers of Evaluating Against Weak Attacks , 2018, ICML.

[28]  Thomas G. Dietterich,et al.  Solving Multiclass Learning Problems via Error-Correcting Output Codes , 1994, J. Artif. Intell. Res..

[29]  Nina Narodytska,et al.  Simple Black-Box Adversarial Perturbations for Deep Networks , 2016, ArXiv.

[30]  Kishor Datta Gupta,et al.  Detect Review Manipulation by Leveraging Reviewer Historical Stylometrics in Amazon, Yelp, Facebook and Google Reviews , 2020 .

[31]  George Danezis,et al.  Learning Universal Adversarial Perturbations with Generative Models , 2017, 2018 IEEE Security and Privacy Workshops (SPW).

[32]  Dongdong Hou,et al.  Detection Based Defense Against Adversarial Examples From the Steganalysis Point of View , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[33]  Zhi-Hua Zhou,et al.  ML-KNN: A lazy learning approach to multi-label learning , 2007, Pattern Recognit..

[34]  Somesh Jha,et al.  Reinforcing Adversarial Robustness using Model Confidence Induced by Adversarial Training , 2017, ICML.

[35]  Wei Tang,et al.  ReabsNet: Detecting and Revising Adversarial Examples , 2017, ArXiv.

[36]  Jan Hendrik Metzen,et al.  On Detecting Adversarial Perturbations , 2017, ICLR.

[37]  Yanjun Qi,et al.  Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks , 2017, NDSS.

[38]  Nicholas Carlini,et al.  Stateful Detection of Black-Box Adversarial Attacks , 2019, Proceedings of the 1st ACM Workshop on Security and Privacy on Artificial Intelligence.

[39]  Martin Wistuba,et al.  Adversarial Robustness Toolbox v1.0.0 , 2018, 1807.01069.

[40]  Lars Kai Hansen,et al.  Neural Network Ensembles , 1990, IEEE Trans. Pattern Anal. Mach. Intell..

[41]  Jun Zhu,et al.  Towards Robust Detection of Adversarial Examples , 2017, NeurIPS.

[42]  James A. Storer,et al.  Deflecting Adversarial Attacks with Pixel Deflection , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[43]  Sajib Sen,et al.  Machine learning in cybersecurity: a comprehensive survey , 2020, The Journal of Defense Modeling and Simulation: Applications, Methodology, Technology.

[44]  W. Brendel,et al.  Foolbox: A Python toolbox to benchmark the robustness of machine learning models , 2017 .

[45]  Frederick M. Waltz,et al.  Morphological Image Processing , 2012 .

[46]  Aleksander Madry,et al.  On Adaptive Attacks to Adversarial Example Defenses , 2020, NeurIPS.

[47]  David A. Forsyth,et al.  NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles , 2017, ArXiv.

[48]  J. Zico Kolter,et al.  Provable defenses against adversarial examples via the convex outer adversarial polytope , 2017, ICML.

[49]  Hao Chen,et al.  MagNet: A Two-Pronged Defense against Adversarial Examples , 2017, CCS.

[50]  Yan Wang,et al.  Detecting Adversarial Perturbations with Saliency , 2018 .

[51]  Dipankar Dasgupta,et al.  Smart Crowdsourcing Based Content Review System (SCCRS): An Approach to Improve Trustworthiness of Online Contents , 2018, CSoNet.

[52]  David A. Wagner,et al.  Defensive Distillation is Not Robust to Adversarial Examples , 2016, ArXiv.

[53]  Wenyi Zhao,et al.  Image Restoration Under Significant Additive Noise , 2007, IEEE Signal Processing Letters.

[54]  Jun Wang,et al.  Detecting Adversarial Examples via Key-based Network , 2018, ArXiv.

[55]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[56]  Kishor Datta Gupta,et al.  A Genetic Algorithm Approach to Regenerate Image from a Reduce Scaled Image Using Bit Data Count , 2018 .

[57]  Stefan Andrei,et al.  A Robust Approach of Facial Orientation Recognition from Facial Features , 2017 .

[58]  Marcin Detyniecki,et al.  Detecting Adversarial Examples and Other Misclassifications in Neural Networks by Introspection , 2019, ArXiv.

[59]  Ananthram Swami,et al.  Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[60]  Frederick M. Waltz,et al.  Efficient algorithm for Gaussian blur using finite-state machines , 1998, Other Conferences.

[61]  Zuochang Ye,et al.  Detecting Adversarial Perturbations with Saliency , 2018, 2018 IEEE 3rd International Conference on Signal and Image Processing (ICSIP).

[62]  Qi Zhao,et al.  Using Qualitative Hypotheses to Identify Inaccurate Data , 1995, J. Artif. Intell. Res..

[63]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[64]  Razvan C. Bunescu,et al.  Training Ensembles to Detect Adversarial Examples , 2017, ArXiv.

[65]  Rana Abou Khamis,et al.  The Threat of Adversarial Attacks on Machine Learning in Network Security - A Survey , 2019, ArXiv.

[66]  Edwina L. Rissland,et al.  CABARET: Rule Interpretation in a Hybrid Architecture , 1991, Int. J. Man Mach. Stud..

[67]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[68]  Michael I. Jordan,et al.  HopSkipJumpAttack: A Query-Efficient Decision-Based Attack , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[69]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[70]  John R. Schott,et al.  Application of Spectral Mixture Analysis and Image Fusion Techniques for Image Sharpening , 1998 .

[71]  Srinivas Panguluri,et al.  Cybersecurity Terminology and Frameworks , 2017 .

[72]  Saso Dzeroski,et al.  Noise Elimination in Inductive Concept Learning: A Case Study in Medical Diagnosois , 1996, ALT.

[73]  Luis Muñoz-González,et al.  Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection , 2018, ArXiv.

[74]  D. Bacciu,et al.  Detecting Adversarial Examples through Nonlinear Dimensionality Reduction. , 2019 .

[75]  David A. Wagner,et al.  Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[76]  Luyu Wang,et al.  advertorch v0.1: An Adversarial Robustness Toolbox based on PyTorch , 2019, ArXiv.

[77]  George Danezis,et al.  Machine Learning as an Adversarial Service: Learning Black-Box Adversarial Examples , 2017, ArXiv.

[78]  David Wagner,et al.  Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods , 2017, AISec@CCS.

[79]  Martin Wistuba,et al.  A Survey on Neural Architecture Search , 2019, ArXiv.

[80]  Carla E. Brodley,et al.  Identifying Mislabeled Training Data , 1999, J. Artif. Intell. Res..

[81]  Yuval Elovici,et al.  Detecting Adversarial Perturbations Through Spatial Behavior in Activation Spaces , 2019, 2019 International Joint Conference on Neural Networks (IJCNN).

[82]  John R. Koza,et al.  Survey of genetic algorithms and genetic programming , 1995, Proceedings of WESCON'95.

[83]  Tobias Scheffer,et al.  Stackelberg games for adversarial prediction problems , 2011, KDD.

[84]  Jesus Romero-Hdz,et al.  An Elitism Based Genetic Algorithm for Welding Sequence Optimization to Reduce Deformation , 2016, Res. Comput. Sci..

[85]  Jun Zhu,et al.  Boosting Adversarial Attacks with Momentum , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[86]  Elham Tabassi,et al.  A taxonomy and terminology of adversarial machine learning , 2019 .

[87]  Andrew M. Dai,et al.  Adversarial Training Methods for Semi-Supervised Text Classification , 2016, ICLR.