Attacking Visual Language Grounding with Adversarial Examples: A Case Study on Neural Image Captioning

Visual language grounding is widely studied in modern neural image captioning systems, which typically adopts an encoder-decoder framework consisting of two principal components: a convolutional neural network (CNN) for image feature extraction and a recurrent neural network (RNN) for language caption generation. To study the robustness of language grounding to adversarial perturbations in machine vision and perception, we propose Show-and-Fool, a novel algorithm for crafting adversarial examples in neural image captioning. The proposed algorithm provides two evaluation approaches, which check whether neural image captioning systems can be mislead to output some randomly chosen captions or keywords. Our extensive experiments show that our algorithm can successfully craft visually-similar adversarial examples with randomly targeted captions or keywords, and the adversarial examples can be made highly transferable to other image captioning systems. Consequently, our approach leads to new robustness implications of neural image captioning and novel insights in visual language grounding.Comment: Accepted by 56th Annual Meeting of the Association for Computational Linguistics (ACL 2018). Hongge Chen and Huan Zhang contribute equally to this wor

ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks without Training Substitute Models

Deep neural networks (DNNs) are one of the most prominent technologies of our time, as they achieve state-of-the-art performance in many machine learning tasks, including but not limited to image classification, text mining, and speech processing. However, recent research on DNNs has indicated ever-increasing concern on the robustness to adversarial examples, especially for security-critical tasks such as traffic sign identification for autonomous driving. Studies have unveiled the vulnerability of a well-trained DNN by demonstrating the ability of generating barely noticeable (to both human and machines) adversarial images that lead to misclassification. Furthermore, researchers have shown that these adversarial images are highly transferable by simply training and attacking a substitute model built upon the target model, known as a black-box attack to DNNs. Similar to the setting of training substitute models, in this paper we propose an effective black-box attack that also only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose zeroth order optimization (ZOO) based attacks to directly estimate the gradients of the targeted DNN for generating adversarial examples. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to efficiently attack black-box models. By exploiting zeroth order optimization, improved attacks to the targeted DNN can be accomplished, sparing the need for training substitute models and avoiding the loss in attack transferability. Experimental results on MNIST, CIFAR10 and ImageNet show that the proposed ZOO attack is as effective as the state-of-the-art white-box attack and significantly outperforms existing black-box attacks via substitute models.Comment: Accepted by 10th ACM Workshop on Artificial Intelligence and Security (AISEC) with the 24th ACM Conference on Computer and Communications Security (CCS

Efficient Neural Network Robustness Certification with General Activation Functions

Finding minimum distortion of adversarial examples and thus certifying robustness in neural network classifiers for given data points is known to be a challenging problem. Nevertheless, recently it has been shown to be possible to give a non-trivial certified lower bound of minimum adversarial distortion, and some recent progress has been made towards this direction by exploiting the piece-wise linear nature of ReLU activations. However, a generic robustness certification for general activation functions still remains largely unexplored. To address this issue, in this paper we introduce CROWN, a general framework to certify robustness of neural networks with general activation functions for given input data points. The novelty in our algorithm consists of bounding a given activation function with linear and quadratic functions, hence allowing it to tackle general activation functions including but not limited to four popular choices: ReLU, tanh, sigmoid and arctan. In addition, we facilitate the search for a tighter certified lower bound by adaptively selecting appropriate surrogates for each neuron activation. Experimental results show that CROWN on ReLU networks can notably improve the certified lower bounds compared to the current state-of-the-art algorithm Fast-Lin, while having comparable computational efficiency. Furthermore, CROWN also demonstrates its effectiveness and flexibility on networks with general activation functions, including tanh, sigmoid and arctan.Comment: Accepted by NIPS 2018. Huan Zhang and Tsui-Wei Weng contributed equall

Is Robustness the Cost of Accuracy? -- A Comprehensive Study on the Robustness of 18 Deep Image Classification Models

The prediction accuracy has been the long-lasting and sole standard for comparing the performance of different image classification models, including the ImageNet competition. However, recent studies have highlighted the lack of robustness in well-trained deep neural networks to adversarial examples. Visually imperceptible perturbations to natural images can easily be crafted and mislead the image classifiers towards misclassification. To demystify the trade-offs between robustness and accuracy, in this paper we thoroughly benchmark 18 ImageNet models using multiple robustness metrics, including the distortion, success rate and transferability of adversarial examples between 306 pairs of models. Our extensive experimental results reveal several new insights: (1) linear scaling law - the empirical $\ell_2$ and $\ell_\infty$ distortion metrics scale linearly with the logarithm of classification error; (2) model architecture is a more critical factor to robustness than model size, and the disclosed accuracy-robustness Pareto frontier can be used as an evaluation criterion for ImageNet model designers; (3) for a similar network architecture, increasing network depth slightly improves robustness in $\ell_\infty$ distortion; (4) there exist models (in VGG family) that exhibit high adversarial transferability, while most adversarial examples crafted from one model can only be transferred within the same family. Experiment code is publicly available at \url{https://github.com/huanzhang12/Adversarial_Survey}.Comment: Accepted by the European Conference on Computer Vision (ECCV) 201

Comparison between the use of percutaneous nephrostomy and internal ureteral stenting in the management of long-term ureteral obstructions

AbstractObjectivesIn this study, we compared between the efficacy and complications of percutaneous nephrostomy (PCN) tubes and those of internal ureteral stents (e.g., double-J stents) used for relieving ureteral obstructions.Materials and methodsA retrospective chart review was performed. Between 2003 and 2009, 110 patients (63 females and 47 males, with a mean age of 63.6 years, range 19–89 years) who had an extrinsic ureteral obstruction, and subsequently underwent either PCN tube placement (n = 44) or internal ureteral stent placement (n = 66), were enrolled. Clinical data on patients with duration of diversion/drainage for more than 6 months were collected. Statistical analyses were performed with respect to a patient's age, etiology of the obstruction, outcome of residual hydronephrosis, and renal function tests.ResultsPatient ages and procedure-related complications were comparable between these two groups. The mean duration of diversion was 16.8 ± 8.6 months in the stent group versus 14.1 ± 6.7 months in the PCN group (p = 0.067). A smaller elevation in serum creatinine was noted in the PCN group (0.21 vs. 0.78 mg/dL, p = 0.03). Nine of 86 (10.4%) double-J stents were converted to PCN tubes during the study period. Residual hydronephrosis after decompression was more common in the stent group than in the PCN group (65.2% vs. 27.2%, p = 0.01). These findings suggest better preservation of renal function by a PCN tube.ConclusionsResults of this study suggest that, to better preserve renal function, PCN is the choice of treatment, irrespective of the etiology. While patients who have a PCN tube may have to carry an additional external drainage device, the complications did not seem to differ significantly from those who used internal drainage with a ureteral stent. Because young cancer patients may especially need aggressive chemotherapy to prolong their survival, PCN urinary drainage may become a better choice from the standpoint of cancer control

Vocal cord dysfunction diagnosed by four-dimensional dynamic volume computed tomography in patients with difficult-to-treat asthma: A case series

Patients with asthma may also have vocal cord dysfunction (VCD), which leads to poor control of the asthma. Once patients are diagnosed with difficult-to-treat asthma with poor control, VCD should be excluded or treated accordingly. The gold standard for diagnosis of VCD is to perform a laryngoscopy. However, this procedure is invasive and may not be suitable for patients with difficult-to-treat asthma. Four-dimensional (4D) dynamic volume computed tomography (CT) is a noninvasive method for quantification of laryngeal movement, and can serve as an alternative for the diagnosis of VCD. Herein, we present a series of five cases with difficult-to-treat asthma patients who were diagnosed with VCD by 4D dynamic volume CT. Clinicians should be alert to the possibility of VCD when poor control is noted in patients with asthma. Early diagnosis by noninvasive 4D dynamic volume CT can decrease excessive doses of inhaled corticosteroids