检索结果-内蒙古大学图书馆

TARGETED ATTACK AGAINST DEEP NEURAL NETWORKS VIA FLIPPING LIMITED WEIGHT BITS 9

学校读者我要写书评

暂无评论

TARGETED ATTACK AGAINST DEEP NEURAL NETWORKS VIA FLIPPING LI...

9th International Conference on Learning Representations, ICLR 2021

作者： Bai, Jiawang Wu, Baoyuan Zhang, Yong Li, Yiming Li, Zhifeng Xia, Shu-Tao Tsinghua Shenzhen International Graduate School Tsinghua University China PCL Research Center of Networks and Communications Peng Cheng Laboratory China School of Data Science The Chinese University of HongKong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data China Tencent AI Lab

To explore the vulnerability of deep neural networks (DNNs), many attack paradigms have been well studied, such as the poisoning-based backdoor attack in the training stage and the adversarial attack in the inference stage. In this paper, we study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Specifically, our goal is to misclassify a specific sample into a target class without any sample modification, while not significantly reduce the prediction accuracy of other samples to ensure the stealthiness. To this end, we formulate this problem as a binary integer programming (BIP), since the parameters are stored as binary bits (i.e., 0 and 1) in the memory. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem, which can be effectively and efficiently solved using the alternating direction method of multipliers (ADMM) method. Consequently, the flipped critical bits can be easily determined through optimization, rather than using a heuristic strategy. Extensive experiments demonstrate the superiority of our method in attacking DNNs. The code is available at: https://***/jiawangbai/TA-LBF. © 2021 ICLR 2021 - 9th International Conference on Learning Representations. All rights reserved.

关键词： Deep neural networks

Versatile Weight Attack via Flipping Limited Bits

学校读者我要写书评

暂无评论

arXiv 2022年

作者： Bai, Jiawang Wu, Baoyuan Li, Zhifeng Xia, Shu-Tao The Tsinghua Shenzhen International Graduate School Tsinghua University Shenzhen518057 China The School of Data Science Chinese University of Hong Kong Shenzhen China The Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data 518100 China Tencent Data Platform Shenzhen518057 China

To explore the vulnerability of deep neural networks (DNNs), many attack paradigms have been well studied, such as the poisoning-based backdoor attack in the training stage and the adversarial attack in the inference stage. In this paper, we study a novel attack paradigm, which modifies model parameters in the deployment stage. Considering the effectiveness and stealthiness goals, we provide a general formulation to perform the bit-flip based weight attack, where the effectiveness term could be customized depending on the attacker's purpose. Furthermore, we present two cases of the general formulation with different malicious purposes, i.e., single sample attack (SSA) and triggered samples attack (TSA). To this end, we formulate this problem as a mixed integer programming (MIP) to jointly determine the state of the binary bits (0 or 1) in the memory and learn the sample modification. Utilizing the latest technique in integer programming, we equivalently reformulate this MIP problem as a continuous optimization problem, which can be effectively and efficiently solved using the alternating direction method of multipliers (ADMM) method. Consequently, the flipped critical bits can be easily determined through optimization, rather than using a heuristic strategy. Extensive experiments demonstrate the superiority of SSA and TSA in attacking DNNs. Copyright © 2022, The Authors. All rights reserved.

关键词： Deep neural networks

Parallel Rectangle Flip Attack: A Query-based Black-box Attack against Object Detection

学校读者我要写书评

暂无评论

arXiv 2022年

作者： Liang, Siyuan Wu, Baoyuan Fan, Yanbo Wei, Xingxing Cao, Xiaochun Institute of Information Engineering Chinese Academy of Sciences Beijing China University of Chinese Academy of Sciences Beijing China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China Tencent Shenzhen China Institute of Artificial Intelligence Hangzhou Innovation Institute Beihang University Beijing China

Object detection has been widely used in many safety-critical tasks, such as autonomous driving. However, its vulnerability to adversarial examples has not been sufficiently studied, especially under the practical scenario of black-box attacks, where the attacker can only access the query feedback of predicted bounding-boxes and top-1 scores returned by the attacked model. Compared with black-box attack to image classification, there are two main challenges in black-box attack to detection. Firstly, even if one bounding-box is successfully attacked, another suboptimal bounding-box may be detected near the attacked bounding-box. Secondly, there are multiple bounding-boxes, leading to very high attack cost. To address these challenges, we propose a Parallel Rectangle Flip Attack (PRFA) via random search. We explain the difference between our method with other attacks in Fig. 1. Specifically, we generate perturbations in each rectangle patch to avoid sub-optimal detection near the attacked region. Besides, utilizing the observation that adversarial perturbations mainly locate around objects' contours and critical points under white-box attacks, the search space of attacked rectangles is reduced to improve the attack efficiency. Moreover, we develop a parallel mechanism of attacking multiple rectangles simultaneously to further accelerate the attack process. Extensive experiments demonstrate that our method can effectively and efficiently attack various popular object detectors, including anchor-based and anchor-free, and generate transferable adversarial examples. Copyright © 2022, The Authors. All rights reserved.

关键词： Geometry

LAS-AT: Adversarial Training with Learnable Attack Strategy

学校读者我要写书评

暂无评论

arXiv 2022年

作者： Jia, Xiaojun Zhang, Yong Wu, Baoyuan Ma, Ke Wang, Jue Cao, Xiaochun Institute of Information Engineering Chinese Academy of Sciences Beijing China School of Cyberspace Security University of Chinese Academy of Sciences Beijing China Tencent AI Lab Shenzhen China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China School of Computer Science and Technology University of Chinese Academy of Sciences Beijing China

Adversarial training (AT) is always formulated as a minimax problem, of which the performance depends on the inner optimization that involves the generation of adversarial examples (AEs). Most previous methods adopt Projected Gradient Decent (PGD) with manually specifying attack parameters for AE generation. A combination of the attack parameters can be referred to as an attack strategy. Several works have revealed that using a fixed attack strategy to generate AEs during the whole training phase limits the model robustness and propose to exploit different attack strategies at different training stages to improve robustness. But those multi-stage hand-crafted attack strategies need much domain expertise, and the robustness improvement is limited. In this paper, we propose a novel framework for adversarial training by introducing the concept of "learnable attack strategy", dubbed LAS-AT, which learns to automatically produce attack strategies to improve the model robustness. Our framework is composed of a target network that uses AEs for training to improve robustness, and a strategy network that produces attack strategies to control the AE generation. Experimental evaluations on three benchmark databases demonstrate the superiority of the proposed method. The code is released at https://***/jiaxiaojunQAQ/LAS-AT. Copyright © 2022, The Authors. All rights reserved.

关键词： Cryptography

Prototype-supervised adversarial network for targeted attack of deep hashing

学校读者我要写书评

暂无评论

arXiv 2021年

作者： Wang, Xunguang Zhang, Zheng Wu, Baoyuan Shen, Fumin Lu, Guangming Harbin Institute of Technology Shenzhen China Peng Cheng Laboratory School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data University of Electronic Science and Technology of China Koala Uran Tech

Due to its powerful capability of representation learning and high-efficiency computation, deep hashing has made significant progress in large-scale image retrieval. However, deep hashing networks are vulnerable to adversarial examples, which is a practical secure problem but seldom studied in hashing-based retrieval field. In this paper, we propose a novel prototype-supervised adversarial network (ProS-GAN), which formulates a flexible generative architecture for efficient and effective targeted hashing attack. To the best of our knowledge, this is the first generation-based method to attack deep hashing networks. Generally, our proposed framework consists of three parts, i.e., a PrototypeNet, a generator and a discriminator. Specifically, the designed PrototypeNet embeds the target label into the semantic representation and learns the prototype code as the category-level representative of the target label. Moreover, the semantic representation and the original image are jointly fed into the generator for flexible targeted attack. Particularly, the prototype code is adopted to supervise the generator to construct the targeted adversarial example by minimizing the Hamming distance between the hash code of the adversarial example and the prototype code. Furthermore, the generator is against the discriminator to simultaneously encourage the adversarial examples visually realistic and the semantic representation informative. Extensive experiments verify that the proposed framework can efficiently produce adversarial examples with better targeted attack performance and transferability over state-of-the-art targeted attack methods of deep hashing. Copyright © 2021, The Authors. All rights reserved.

关键词： Hamming distance

Probabilistic modeling of semantic ambiguity for scene graph generation

学校读者我要写书评

暂无评论

arXiv 2021年

作者： Yang, Gengcong Zhang, Jingyi Zhang, Yong Wu, Baoyuan Yang, Yujiu Tsinghua Shenzhen International Graduate School Tsinghua University China University of Electronic Science and Technology of China China Tencent AI Lab China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data China

To generate "accurate" scene graphs, almost all existing methods predict pairwise relationships in a deterministic manner. However, we argue that visual relationships are often semantically ambiguous. Specifically, inspired by linguistic knowledge, we classify the ambiguity into three types: Synonymy Ambiguity, Hyponymy Ambiguity, and Multi-view Ambiguity. The ambiguity naturally leads to the issue of implicit multi-label, motivating the need for diverse predictions. In this work, we propose a novel plug-and-play Probabilistic Uncertainty Modeling (PUM) module. It models each union region as a Gaussian distribution, whose variance measures the uncertainty of the corresponding visual content. Compared to the conventional deterministic methods, such uncertainty modeling brings stochasticity of feature representation, which naturally enables diverse predictions. As a byproduct, PUM also manages to cover more fine-grained relationships and thus alleviates the issue of bias towards frequent relationships. Extensive experiments on the large-scale Visual Genome benchmark show that combining PUM with newly proposed ResCAGCN can achieve state-of-the-art performances, especially under the mean recall metric. Furthermore, we prove the universal effectiveness of PUM by plugging it into some existing models and provide insightful analysis of its ability to generate diverse yet plausible visual relationships. Copyright © 2021, The Authors. All rights reserved.

关键词： Forecasting

Towards open-world text-guided face image generation and manipulation

学校读者我要写书评

暂无评论

arXiv 2021年

作者： Xia, Weihao Yang, Yujiu Xue, Jing-Hao Wu, Baoyuan Tsinghua Shenzhen International Graduate School Tsinghua University China Department of Statistical Science University College London United Kingdom School of Data Science Chinese University of Hongkong Shenzhen China and Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China

—The existing text-guided image synthesis methods can only produce limited quality results with at most 2562 resolution and the textual instructions are constrained in a small Corpus. In this work, we propose a unified framework for both face image generation and manipulation that produces diverse and high-quality images with an unprecedented resolution at 10242 from multimodal inputs. More importantly, our method supports open-world scenarios, including both image and text, without any re-training, fine-tuning, or post-processing. To be specific, we propose a brand new paradigm of text-guided image generation and manipulation based on the superior characteristics of a pretrained GAN model. Our proposed paradigm includes two novel strategies. The first strategy is to train a text encoder to obtain latent codes that align with the hierarchically semantic of the aforementioned pretrained GAN model. The second strategy is to directly optimize the latent codes in the latent space of the pretrained GAN model with guidance from a pretrained language model. The latent codes can be randomly sampled from a prior distribution or inverted from a given image, which provides inherent supports for both image generation and manipulation from multi-modal inputs, such as sketches or semantic labels, with textual guidance. To facilitate text-guided multi-modal synthesis, we propose the MULTI-MODAL CELEBA-HQ, a large-scale dataset consisting of real face images and corresponding semantic segmentation map, sketch, and textual descriptions. Extensive experiments on the introduced dataset demonstrate the superior performance of our proposed method. Copyright © 2021, The Authors. All rights reserved.

关键词： Generative adversarial networks

Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits

学校读者我要写书评

暂无评论

arXiv 2021年

作者： Bai, Jiawang Wu, Baoyuan Zhang, Yong Li, Yiming Li, Zhifeng Xia, Shu-Tao Tsinghua Shenzhen International Graduate School Tsinghua University China PCL Research Center of Networks and Communications Peng Cheng Laboratory China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data China Tencent AI Lab United States

To explore the vulnerability of deep neural networks (DNNs), many attack paradigms have been well studied, such as the poisoning-based backdoor attack in the training stage and the adversarial attack in the inference stage. In this paper, we study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Specifically, our goal is to misclassify a specific sample into a target class without any sample modification, while not significantly reduce the prediction accuracy of other samples to ensure the stealthiness. To this end, we formulate this problem as a binary integer programming (BIP), since the parameters are stored as binary bits (i.e., 0 and 1) in the memory. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem, which can be effectively and efficiently solved using the alternating direction method of multipliers (ADMM) method. Consequently, the flipped critical bits can be easily determined through optimization, rather than using a heuristic strategy. Extensive experiments demonstrate the superiority of our method in attacking DNNs. The code is available at: https://***/jiawangbai/TA-LBF. Copyright © 2021, The Authors. All rights reserved.

关键词： Deep neural networks

Prior-Guided Adversarial Initialization for Fast Adversarial Training

学校读者我要写书评

暂无评论

arXiv 2022年

作者： Jia, Xiaojun Zhang, Yong Wei, Xingxing Wu, Baoyuan Ma, Ke Wang, Jue Cao, Xiaochun SKLOIS Institute of Information Engineering CAS Beijing China School of Cyber Security University of Chinese Academy of Sciences Beijing China Tencent AI Lab Shenzhen China Institute of Artificial Intelligence Beihang University Beijing China School of Data Science Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data The Chinese University of Hong Kong Shenzhen China School of Computer Science and Technology UCAS Beijing China School of Cyber Science and Technology Shenzhen Campus Sun Yat-sen University Shenzhen518107 China

Fast adversarial training (FAT) effectively improves the efficiency of standard adversarial training (SAT). However, initial FAT encounters catastrophic overfitting, i.e., the robust accuracy against adversarial attacks suddenly and dramatically decreases. Though several FAT variants spare no effort to prevent overfitting, they sacrifice much calculation cost. In this paper, we explore the difference between the training processes of SAT and FAT and observe that the attack success rate of adversarial examples (AEs) of FAT gets worse gradually in the late training stage, resulting in overfitting. The AEs are generated by the fast gradient sign method (FGSM) with a zero or random initialization. Based on the observation, we propose a prior-guided FGSM initialization method to avoid overfitting after investigating several initialization strategies, improving the quality of the AEs during the whole training process. The initialization is formed by leveraging historically generated AEs without additional calculation cost. We further provide a theoretical analysis for the proposed initialization method. We also propose a simple yet effective regularizer based on the prior-guided initialization, i.e., the currently generated perturbation should not deviate too much from the prior-guided initialization. The regularizer adopts both historical and current adversarial perturbations to guide the model learning. Evaluations on four datasets demonstrate that the proposed method can prevent catastrophic overfitting and outperform state-of-the-art FAT methods. The code is released at https://***/jiaxiaojunQAQ/FGSM-PGI. Copyright © 2022, The Authors. All rights reserved.

关键词： Machine learning