4,748 research outputs found
EagleEye: Attack-Agnostic Defense against Adversarial Inputs (Technical Report)
Deep neural networks (DNNs) are inherently vulnerable to adversarial inputs:
such maliciously crafted samples trigger DNNs to misbehave, leading to
detrimental consequences for DNN-powered systems. The fundamental challenges of
mitigating adversarial inputs stem from their adaptive and variable nature.
Existing solutions attempt to improve DNN resilience against specific attacks;
yet, such static defenses can often be circumvented by adaptively engineered
inputs or by new attack variants.
Here, we present EagleEye, an attack-agnostic adversarial tampering analysis
engine for DNN-powered systems. Our design exploits the {\em minimality
principle} underlying many attacks: to maximize the attack's evasiveness, the
adversary often seeks the minimum possible distortion to convert genuine inputs
to adversarial ones. We show that this practice entails the distinct
distributional properties of adversarial inputs in the input space. By
leveraging such properties in a principled manner, EagleEye effectively
discriminates adversarial inputs and even uncovers their correct classification
outputs. Through extensive empirical evaluation using a range of benchmark
datasets and DNN models, we validate EagleEye's efficacy. We further
investigate the adversary's possible countermeasures, which implies a difficult
dilemma for her: to evade EagleEye's detection, excessive distortion is
necessary, thereby significantly reducing the attack's evasiveness regarding
other detection mechanisms
DeepFense: Online Accelerated Defense Against Adversarial Deep Learning
Recent advances in adversarial Deep Learning (DL) have opened up a largely
unexplored surface for malicious attacks jeopardizing the integrity of
autonomous DL systems. With the wide-spread usage of DL in critical and
time-sensitive applications, including unmanned vehicles, drones, and video
surveillance systems, online detection of malicious inputs is of utmost
importance. We propose DeepFense, the first end-to-end automated framework that
simultaneously enables efficient and safe execution of DL models. DeepFense
formalizes the goal of thwarting adversarial attacks as an optimization problem
that minimizes the rarely observed regions in the latent feature space spanned
by a DL network. To solve the aforementioned minimization problem, a set of
complementary but disjoint modular redundancies are trained to validate the
legitimacy of the input samples in parallel with the victim DL model. DeepFense
leverages hardware/software/algorithm co-design and customized acceleration to
achieve just-in-time performance in resource-constrained settings. The proposed
countermeasure is unsupervised, meaning that no adversarial sample is leveraged
to train modular redundancies. We further provide an accompanying API to reduce
the non-recurring engineering cost and ensure automated adaptation to various
platforms. Extensive evaluations on FPGAs and GPUs demonstrate up to two orders
of magnitude performance improvement while enabling online adversarial sample
detection.Comment: Adding hardware acceleration for real-time execution of defender
module
Exploiting the Inherent Limitation of L0 Adversarial Examples
Despite the great achievements made by neural networks on tasks such as image
classification, they are brittle and vulnerable to adversarial example (AE)
attacks, which are crafted by adding human-imperceptible perturbations to
inputs in order that a neural-network-based classifier incorrectly labels them.
In particular, L0 AEs are a category of widely discussed threats where
adversaries are restricted in the number of pixels that they can corrupt.
However, our observation is that, while L0 attacks modify as few pixels as
possible, they tend to cause large-amplitude perturbations to the modified
pixels. We consider this as an inherent limitation of L0 AEs, and thwart such
attacks by both detecting and rectifying them. The main novelty of the proposed
detector is that we convert the AE detection problem into a comparison problem
by exploiting the inherent limitation of L0 attacks. More concretely, given an
image I, it is pre-processed to obtain another image I' . A Siamese network,
which is known to be effective in comparison, takes I and I' as the input pair
to determine whether I is an AE. A trained Siamese network automatically and
precisely captures the discrepancies between I and I' to detect L0
perturbations. In addition, we show that the pre-processing technique,
inpainting, used for detection can also work as an effective defense, which has
a high probability of removing the adversarial influence of L0 perturbations.
Thus, our system, called AEPECKER, demonstrates not only high AE detection
accuracies, but also a notable capability to correct the classification
results.Comment: Accepted by the 22nd International Symposium on Research in Attacks,
Intrusions and Defenses (RAID 2019
Attention: A Big Surprise for Cross-Domain Person Re-Identification
In this paper, we focus on model generalization and adaptation for
cross-domain person re-identification (Re-ID). Unlike existing cross-domain
Re-ID methods, leveraging the auxiliary information of those unlabeled
target-domain data, we aim at enhancing the model generalization and adaptation
by discriminative feature learning, and directly exploiting a pre-trained model
to new domains (datasets) without any utilization of the information from
target domains. To address the discriminative feature learning problem, we
surprisingly find that simply introducing the attention mechanism to adaptively
extract the person features for every domain is of great effectiveness. We
adopt two popular type of attention mechanisms, long-range dependency based
attention and direct generation based attention. Both of them can perform the
attention via spatial or channel dimensions alone, even the combination of
spatial and channel dimensions. The outline of different attentions are well
illustrated. Moreover, we also incorporate the attention results into the final
output of model through skip-connection to improve the features with both high
and middle level semantic visual information. In the manner of directly
exploiting a pre-trained model to new domains, the attention incorporation
method truly could enhance the model generalization and adaptation to perform
the cross-domain person Re-ID. We conduct extensive experiments between three
large datasets, Market-1501, DukeMTMC-reID and MSMT17. Surprisingly,
introducing only attention can achieve state-of-the-art performance, even much
better than those cross-domain Re-ID methods utilizing auxiliary information
from the target domain
Large-Scale Long-Tailed Recognition in an Open World
Real world data often have a long-tailed and open-ended distribution. A
practical recognition system must classify among majority and minority classes,
generalize from a few known instances, and acknowledge novelty upon a never
seen instance. We define Open Long-Tailed Recognition (OLTR) as learning from
such naturally distributed data and optimizing the classification accuracy over
a balanced test set which include head, tail, and open classes. OLTR must
handle imbalanced classification, few-shot learning, and open-set recognition
in one integrated algorithm, whereas existing classification approaches focus
only on one aspect and deliver poorly over the entire class spectrum. The key
challenges are how to share visual knowledge between head and tail classes and
how to reduce confusion between tail and open classes. We develop an integrated
OLTR algorithm that maps an image to a feature space such that visual concepts
can easily relate to each other based on a learned metric that respects the
closed-world classification while acknowledging the novelty of the open world.
Our so-called dynamic meta-embedding combines a direct image feature and an
associated memory feature, with the feature norm indicating the familiarity to
known classes. On three large-scale OLTR datasets we curate from object-centric
ImageNet, scene-centric Places, and face-centric MS1M data, our method
consistently outperforms the state-of-the-art. Our code, datasets, and models
enable future OLTR research and are publicly available at
https://liuziwei7.github.io/projects/LongTail.html.Comment: To appear in CVPR 2019 as an oral presentation. Code, datasets and
models are available at https://liuziwei7.github.io/projects/LongTail.htm
Deep Learning of Appearance Models for Online Object Tracking
This paper introduces a novel deep learning based approach for vision based
single target tracking. We address this problem by proposing a network
architecture which takes the input video frames and directly computes the
tracking score for any candidate target location by estimating the probability
distributions of the positive and negative examples. This is achieved by
combining a deep convolutional neural network with a Bayesian loss layer in a
unified framework. In order to deal with the limited number of positive
training examples, the network is pre-trained offline for a generic image
feature representation and then is fine-tuned in multiple steps. An online
fine-tuning step is carried out at every frame to learn the appearance of the
target. We adopt a two-stage iterative algorithm to adaptively update the
network parameters and maintain a probability density for target/non-target
regions. The tracker has been tested on the standard tracking benchmark and the
results indicate that the proposed solution achieves state-of-the-art tracking
results
Power up! Robust Graph Convolutional Network against Evasion Attacks based on Graph Powering
Graph convolutional networks (GCNs) are powerful tools for graph-structured
data. However, they have been recently shown to be prone to topological
attacks. Despite substantial efforts to search for new architectures, it still
remains a challenge to improve performance in both benign and adversarial
situations simultaneously. In this paper, we re-examine the fundamental
building block of GCN---the Laplacian operator---and highlight some basic flaws
in the spatial and spectral domains. As an alternative, we propose an operator
based on graph powering, and prove that it enjoys a desirable property of
"spectral separation." Based on the operator, we propose a robust learning
paradigm, where the network is trained on a family of "'smoothed" graphs that
span a spatial and spectral range for generalizability. We also use the new
operator in replacement of the classical Laplacian to construct an architecture
with improved spectral robustness, expressivity and interpretability. The
enhanced performance and robustness are demonstrated in extensive experiments
PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples
Adversarial perturbations of normal images are usually imperceptible to
humans, but they can seriously confuse state-of-the-art machine learning
models. What makes them so special in the eyes of image classifiers? In this
paper, we show empirically that adversarial examples mainly lie in the low
probability regions of the training distribution, regardless of attack types
and targeted models. Using statistical hypothesis testing, we find that modern
neural density models are surprisingly good at detecting imperceptible image
perturbations. Based on this discovery, we devised PixelDefend, a new approach
that purifies a maliciously perturbed image by moving it back towards the
distribution seen in the training data. The purified image is then run through
an unmodified classifier, making our method agnostic to both the classifier and
the attacking method. As a result, PixelDefend can be used to protect already
deployed models and be combined with other model-specific defenses. Experiments
show that our method greatly improves resilience across a wide variety of
state-of-the-art attacking methods, increasing accuracy on the strongest attack
from 63% to 84% for Fashion MNIST and from 32% to 70% for CIFAR-10.Comment: ICLR 201
Sharp Attention Network via Adaptive Sampling for Person Re-identification
In this paper, we present novel sharp attention networks by adaptively
sampling feature maps from convolutional neural networks (CNNs) for person
re-identification (re-ID) problem. Due to the introduction of sampling-based
attention models, the proposed approach can adaptively generate sharper
attention-aware feature masks. This greatly differs from the gating-based
attention mechanism that relies soft gating functions to select the relevant
features for person re-ID. In contrast, the proposed sampling-based attention
mechanism allows us to effectively trim irrelevant features by enforcing the
resultant feature masks to focus on the most discriminative features. It can
produce sharper attentions that are more assertive in localizing subtle
features relevant to re-identifying people across cameras. For this purpose, a
differentiable Gumbel-Softmax sampler is employed to approximate the Bernoulli
sampling to train the sharp attention networks. Extensive experimental
evaluations demonstrate the superiority of this new sharp attention model for
person re-ID over the other state-of-the-art methods on three challenging
benchmarks including CUHK03, Market-1501, and DukeMTMC-reID.Comment: accepted by IEEE Transactions on Circuits and Systems for Video
Technology(T-CSVT
Adaptive DDoS attack detection method based on multiple-kernel learning
Distributed denial of service (DDoS) attacks have caused huge economic losses
to society. They have become one of the main threats to Internet security. Most
of the current detection methods based on a single feature and fixed model
parameters cannot effectively detect early DDoS attacks in cloud and big data
environment. In this paper, an adaptive DDoS attack detection method (ADADM)
based on multiple kernel learning (MKL) is proposed. Based on the burstiness of
DDoS attack flow, the distribution of addresses and the interactivity of
communication, we define five features to describe the network flow
characteristic. Based on the ensemble learning framework, the weight of each
dimension is adaptively adjusted by increasing the inter-class mean with a
gradient ascent and reducing the intra-class variance with a gradient descent,
and the classifier is established to identify an early DDoS attack by training
simple multiple kernel learning (SMKL) models with two characteristics
including inter-class mean squared difference growth (M-SMKL) and intra-class
variance descent (S-SMKL). The sliding window mechanism is used to coordinate
the S-SMKL and M-SMKL to detect the early DDoS attack. The experimental results
indicate that this method can detect DDoS attacks early and accurately
- …