检索结果-内蒙古大学图书馆

A Large-scale Multiple-objective Method for Black-box Attack against Object Detection

学校读者我要写书评

暂无评论

arXiv 2022年

作者： Liang, Siyuan Li, Longkang Fan, Yanbo Jia, Xiaojun Li, Jingzhi Wu, Baoyuan Cao, Xiaochun State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy of Sciences Beijing China School of Cyber Security University of Chinese Academy of Sciences Beijing China School of Data Science Secure Computing Lab of Big Data The Chinese University of Hong Kong Shenzhen China Tencent AI Lab Shenzhen China School of Cyber Science and Technology Shenzhen Campus Sun Yat-sen University Shenzhen China

Recent studies have shown that detectors based on deep models are vulnerable to adversarial examples, even in the black-box scenario where the attacker cannot access the model information. Most existing attack methods aim to minimize the true positive rate, which often shows poor attack performance, as another sub-optimal bounding box may be detected around the attacked bounding box to be the new true positive one. To settle this challenge, we propose to minimize the true positive rate and maximize the false positive rate, which can encourage more false positive objects to block the generation of new true positive bounding boxes. It is modeled as a multi-objective optimization (MOP) problem, of which the generic algorithm can search the Pareto-optimal. However, our task has more than two million decision variables, leading to low searching efficiency. Thus, we extend the standard Genetic Algorithm with Random Subset selection and Divide-and-Conquer, called GARSDC, which significantly improves the efficiency. Moreover, to alleviate the sensitivity to population quality in generic algorithms, we generate a gradient-prior initial population, utilizing the transferability between different detectors with similar backbones. Compared with the state-of-art attack methods, GARSDC decreases by an average 12.0 in the mAP and queries by about 1000 times in extensive experiments. Our codes can be found at https://***/LiangSiyuan21/ GARSDC. © 2022, CC BY.

关键词： Object detection

Invisible Backdoor Attack with Sample-Specific Triggers

学校读者我要写书评

暂无评论

Invisible Backdoor Attack with Sample-Specific Triggers

International Conference on Computer Vision (ICCV)

作者： Yuezun Li Yiming Li Baoyuan Wu Longkang Li Ran He Siwei Lyu Ocean University of China Qingdao China Tsinghua Shenzhen International Graduate School Tsinghua University Shenzhen China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China NLPR/CRIPAC Institute of Automation Chinese Academy of Sciences Beijing China University at Buffalo SUNY NY USA

ISBN: (纸本)9781665428132

Recently, backdoor attacks pose a new security threat to the training process of deep neural networks (DNNs). Attackers intend to inject hidden backdoors into DNNs, such that the attacked model performs well on benign samples, whereas its prediction will be maliciously changed if hidden backdoors are activated by the attacker-defined trigger. Existing backdoor attacks usually adopt the setting that triggers are sample-agnostic, i.e., different poisoned samples contain the same trigger, resulting in that the attacks could be easily mitigated by current backdoor defenses. In this work, we explore a novel attack paradigm, where backdoor triggers are sample-specific. In our attack, we only need to modify certain training samples with invisible perturbation, while not need to manipulate other training components (e.g., training loss, and model structure) as required in many existing attacks. Specifically, inspired by the recent advance in DNN-based image steganography, we generate sample-specific invisible additive noises as backdoor triggers by encoding an attacker-specified string into benign images through an encoder-decoder network. The mapping from the string to the target label will be generated when DNNs are trained on the poisoned dataset. Extensive experiments on benchmark datasets verify the effectiveness of our method in attacking models with or without defenses. The code will be available at https://***/yuezunli/ISSBA.

关键词： Training Additive noise Deep learning Steganography Computer vision Image coding Perturbation methods

Parallel Rectangle Flip Attack: A Query-based Black-box Attack against Object Detection

学校读者我要写书评

暂无评论

Parallel Rectangle Flip Attack: A Query-based Black-box Atta...

International Conference on Computer Vision (ICCV)

作者： Siyuan Liang Baoyuan Wu Yanbo Fan Xingxing Wei Xiaochun Cao Institute of Information Engineering Chinese Academy of Sciences Beijing China University of Chinese Academy of Sciences Beijing China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China Tencent Shenzhen China Institute of Artificial Intelligence Hangzhou Innovation Institute Beihang University Beijing China

ISBN: (纸本)9781665428132

Object detection has been widely used in many safety- critical tasks, such as autonomous driving. However, its vulnerability to adversarial examples has not been sufficiently studied, especially under the practical scenario of black-box attacks, where the attacker can only access the query feedback of predicted bounding-boxes and top- 1 scores returned by the attacked model. Compared with black-box attack to image classification, there are two main challenges in black-box attack to detection. Firstly, even if one bounding-box is successfully attacked, another sub- optimal bounding-box may be detected near the attacked bounding-box. Secondly, there are multiple bounding- boxes, leading to very high attack cost. To address these challenges, we propose a Parallel Rectangle Flip Attack (PRFA) via random search. We explain the difference between our method with other attacks in Fig. 1. Specifically, we generate perturbations in each rectangle patch to avoid sub-optimal detection near the attacked region. Besides, utilizing the observation that adversarial perturbations mainly locate around objects’ contours and critical points under white-box attacks, the search space of attacked rectangles is reduced to improve the attack efficiency. Moreover, we develop a parallel mechanism of attacking multiple rectangles simultaneously to further accelerate the attack process. Extensive experiments demonstrate that our method can effectively and efficiently attack various popular object detectors, including anchor-based and anchor- free, and generate transferable adversarial examples.

关键词： Costs Perturbation methods Detectors Object detection Predictive models Search problems Task analysis

Rethinking the trigger of backdoor attack

学校读者我要写书评

暂无评论

arXiv 2020年

作者： Li, Yiming Zhai, Tongqing Wu, Baoyuan Jiang, Yong Li, Zhifeng Xia, Shu-Tao Tsinghua Shenzhen International Graduate School Tsinghua University Shenzhen China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China Tencent AI Lab Shenzhen China

Backdoor attack intends to inject hidden backdoor into the deep neural networks (DNNs), such that the prediction of the infected model will be maliciously changed if the hidden backdoor is activated by the attacker-defined trigger, while it performs well on benign samples. Currently, most of existing backdoor attacks adopted the setting of static trigger, i.e., triggers across the training and testing images follow the same appearance and are located in the same area. In this paper, we revisit this attack paradigm by analyzing the characteristics of the static trigger. We demonstrate that such an attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training. We further explore how to utilize this property for backdoor defense, and discuss how to alleviate such vulnerability of existing attacks. Copyright © 2020, The Authors. All rights reserved.

关键词： Deep neural networks

TediGAN: Text-guided diverse face image generation and manipulation

学校读者我要写书评

暂无评论

arXiv 2020年

作者： Xia, Weihao Yang, Yujiu Xue, Jing-Hao Wu, Baoyuan Tsinghua Shenzhen International Graduate School Tsinghua University China Department of Statistical Science University College London United Kingdom School of Data Science Chinese University of Hongkong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China

In this work, we propose TediGAN, a novel framework for multi-modal image generation and manipulation with textual descriptions. The proposed method consists of three components: StyleGAN inversion module, visual-linguistic similarity learning, and instance-level optimization. The inversion module maps real images to the latent space of a well-trained StyleGAN. The visual-linguistic similarity learns the text-image matching by mapping the image and text into a common embedding space. The instancelevel optimization is for identity preservation in manipulation. Our model can produce diverse and high-quality images with an unprecedented resolution at 10242. Using a control mechanism based on style-mixing, our Tedi- GAN inherently supports image synthesis with multi-modal inputs, such as sketches or semantic labels, with or without instance guidance. To facilitate text-guided multimodal synthesis, we propose the Multi-Modal CelebA-HQ, a large-scale dataset consisting of real face images and corresponding semantic segmentation map, sketch, and textual descriptions. Extensive experiments on the introduced dataset demonstrate the superior performance of our proposed method. Code and data are available at https://***/weihaox/TediGAN. Copyright © 2020, The Authors. All rights reserved.

关键词： Semantic Segmentation

Backdoor attack against speaker verification

学校读者我要写书评

暂无评论

arXiv 2020年

作者： Zhai, Tongqing Li, Yiming Zhang, Ziqi Wu, Baoyuan Jiang, Yong Xia, Shu-Tao Tsinghua Shenzhen International Graduate School Tsinghua University Shenzhen China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China PCL Research Center of Networks and Communications Peng Cheng Laboratory Shenzhen China

Speaker verification has been widely and successfully adopted in many mission-critical areas for user identification. The training of speaker verification requires a large amount of data, therefore users usually need to adopt third-party data (e.g., data from the Internet or third-party data company). This raises the question of whether adopting untrusted third-party data can pose a security threat. In this paper, we demonstrate that it is possible to inject the hidden backdoor for infecting speaker verification models by poisoning the training data. Specifically, we design a clustering-based attack scheme where poisoned samples from different clusters will contain different triggers (i.e., pre-defined utterances), based on our understanding of verification tasks. The infected models behave normally on benign samples, while attacker-specified unenrolled triggers will successfully pass the verification even if the attacker has no information about the enrolled speaker. We also demonstrate that existing backdoor attacks cannot be directly adopted in attacking speaker verification. Our approach not only provides a new perspective for designing novel attacks, but also serves as a strong baseline for improving the robustness of verification methods. The code for reproducing main results is available at https://***/zhaitongqing233/Back door-attack-against-speaker-verification. Copyright © 2020, The Authors. All rights reserved.

关键词： Speech recognition

Pixel-wise dense detector for image inpainting

学校读者我要写书评

暂无评论

arXiv 2020年

作者： Zhang, Ruisong Quan, Weize Wu, Baoyuan Li, Zhifeng Yan, Dong-Ming National Laboratory of Pattern Recognition Institute of Automation Chinese Academy of Sciences Beijing100190 China School of Artificial Intelligence University of Chinese Academy of Sciences Beijing100049 China School of Data Science Chinese University of Hong Kong Shenzhen Hong Kong Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data China Tencent AI Lab Shenzhen China

Recent GAN-based image inpainting approaches adopt an average strategy to discriminate the generated image and output a scalar, which inevitably lose the position information of visual artifacts. Moreover, the adversarial loss and reconstruction loss (e.g., `1 loss) are combined with tradeoff weights, which are also difficult to tune. In this paper, we propose a novel detection-based generative framework for image inpainting, which adopts the min-max strategy in an adversarial process. The generator follows an encoder-decoder architecture to fill the missing regions, and the detector using weakly supervised learning localizes the position of artifacts in a pixel-wise manner. Such position information makes the generator pay attention to artifacts and further enhance them. More importantly, we explicitly insert the output of the detector into the reconstruction loss with a weighting criterion, which balances the weight of the adversarial loss and reconstruction loss automatically rather than manual operation. Experiments on multiple public datasets show the superior performance of the proposed framework. The source code is available at https://***/Evergrow/GDN_Inpainting. Copyright © 2020, The Authors. All rights reserved.

关键词： Pixels

Dual ResGCN for balanced scene graph generation

学校读者我要写书评

暂无评论

arXiv 2020年

作者： Zhang, Jingyi Zhang, Yong Wu, Baoyuan Fan, Yanbo Shen, Fumin Shen, Heng Tao Center for Future Media University of Electronic Science and Technology of China Chengdu610054 China School of Computer Science and Engineering University of Electronic Science and Technology of China Chengdu610054 China School of Data Science Chinese University of Hong Kong Shenzhen Shenzhen518172 Hong Kong Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen518172 China Tencent AI Lab Shenzhen519000 China

Visual scene graph generation is a challenging task. Previous works have achieved great progress, but most of them do not explicitly consider the class imbalance issue in scene graph generation. Models learned without considering the class imbalance tend to predict the majority classes, which leads to a good performance on trivial frequent predicates, but poor performance on informative infrequent predicates. However, predicates of minority classes often carry more semantic and precise information (e.g., ‘on’ v.s ‘parked on’). To alleviate the influence of the class imbalance, we propose a novel model, dubbed dual ResGCN, which consists of an object residual graph convolutional network and a relation residual graph convolutional network. The two networks are complementary to each other. The former captures object-level context information, i.e., the connections among objects. We propose a novel ResGCN that enhances object features in a cross attention manner. Besides, we stack multiple contextual coefficients to alleviate the imbalance issue and enrich the prediction diversity. The latter is carefully designed to explicitly capture relation-level context information i.e., the connections among relations. We propose to incorporate the prior about the co-occurrence of relation pairs into the graph to further help alleviate the class imbalance issue. Extensive evaluations of three tasks are performed on the large-scale database VG to demonstrate the superiority of the proposed method. Copyright © 2020, The Authors. All rights reserved.

关键词： Semantics

Invisible backdoor attack with sample-specific triggers

学校读者我要写书评

暂无评论

arXiv 2020年

作者： Li, Yuezun Li, Yiming Wu, Baoyuan Li, Longkang He, Ran Lyu, Siwei Ocean University of China Qingdao China School of Data Science The Chinese University of Hong Kong Shenzhen China Secure Computing Lab of Big Data Shenzhen Research Institute of Big Data Shenzhen China Tsinghua Shenzhen International Graduate School Tsinghua University Shenzhen China NLPR/CRIPAC Institute of Automation Chinese Academy of Sciences Beijing China University at Buffalo SUNY NY United States

关键词： Deep neural networks