Empirical Perturbation Analysis of Two Adversarial Attacks: Black Box versus White Box

Through the addition of humanly imperceptible noise to an image classified as belonging to a category ca, targeted adversarial attacks can lead convolutional neural networks (CNNs) to classify a modified image as belonging to any predefined target class ct≠ca. To achieve a better understanding of the inner workings of adversarial attacks, this study analyzes the adversarial images created by two completely opposite attacks against 10 ImageNet-trained CNNs. A total of 2×437 adversarial images are created by EAtarget,C, a black-box evolutionary algorithm (EA), and by the basic iterative method (BIM), a white-box, gradient-based attack. We inspect and compare these two sets of adversarial images from different perspectives: the behavior of CNNs at smaller image regions, the image noise frequency, the adversarial image transferability, the image texture change, and penultimate CNN layer activations. We find that texture change is a side effect rather than a means for the attacks and that ct-relevant features only build up significantly from image regions of size 56×56 onwards. In the penultimate CNN layers, both attacks increase the activation of units that are positively related to ct and units that are negatively related to ca. In contrast to EAtarget,C’s white noise nature, BIM predominantly introduces low-frequency noise. BIM affects the original ca features more than EAtarget,C, thus producing slightly more transferable adversarial images. However, the transferability with both attacks is low, since the attacks’ ct-related information is specific to the output layers of the targeted CNN. We find that the adversarial images are actually more transferable at regions with sizes of 56×56 than at full scale

ShuffleDetect: Detecting Adversarial Images against Convolutional Neural Networks

Recently, convolutional neural networks (CNNs) have become the main drivers in many image recognition applications. However, they are vulnerable to adversarial attacks, which can lead to disastrous consequences. This paper introduces ShuffleDetect as a new and efficient unsupervised method for the detection of adversarial images against trained convolutional neural networks. Its main feature is to split an input image into non-overlapping patches, then swap the patches according to permutations, and count the number of permutations for which the CNN classifies the unshuffled input image and the shuffled image into different categories. The image is declared adversarial if and only if the proportion of such permutations exceeds a certain threshold value. A series of 8 targeted or untargeted attacks was applied on 10 diverse and state-of-the-art ImageNet-trained CNNs, leading to 9500 relevant clean and adversarial images. We assessed the performance of ShuffleDetect intrinsically and compared it with another detector. Experiments show that ShuffleDetect is an easy-to-implement, very fast, and near memory-free detector that achieves high detection rates and low false positive rates

One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition

Convolutional neural networks (CNNs) are widely used in computer vision, but can be deceived by carefully crafted adversarial images. In this paper, we propose an evolutionary algorithm (EA) based adversarial attack against CNNs trained on ImageNet. Our EA-based attack aims to generate adversarial images that not only achieve a high confidence probability of being classified into the target category (at least 75%), but also appear indistinguishable to the human eye in a black-box setting. These constraints are implemented to simulate a realistic adversarial attack scenario. Our attack has been thoroughly evaluated on 10 CNNs in various attack scenarios, including high-confidence targeted, good-enough targeted, and untargeted. Furthermore, we have compared our attack favorably against other well-known white-box and black-box attacks. The experimental results revealed that the proposed EA-based attack is superior or on par with its competitors in terms of the success rate and the visual quality of the adversarial images produced

A strategy creating high-resolution adversarial images against convolutional neural networks and a feasibility study on 10 CNNs

To perform image recognition, Convolutional Neural Networks (CNNs) assess any image by first resizing it to its input size. In particular, high-resolution images are scaled down, say to 224×244 for CNNs trained on ImageNet. So far, existing attacks, aiming at creating an adversarial image that a CNN would misclassify while a human would not notice any difference between the modified and unmodified images, proceed by creating adversarial noise in the 224×244 resized domain and not in the high-resolution domain. The complexity of directly attacking high-resolution images leads to challenges in terms of speed, adversity and visual quality, making these attacks infeasible in practice. We design an indirect attack strategy that lifts to the high-resolution domain any existing attack that works efficiently in the CNN's input size domain. Adversarial noise created via this method is of the same size as the original image. We apply this approach to 10 state-of-the-art CNNs trained on ImageNet, with an evolutionary algorithm-based attack. Our method succeeded in 900 out of 1000 trials to create such adversarial images, that CNNs classify with probability ≥0.55 in the adversarial category. Our indirect attack is the first effective method at creating adversarial images in the high-resolution domain

Dynamic virtual bats algorithm (dvba) for global numerical optimization

This paper presents a novel Dynamic Virtual Bats Algorithm (DVBA) for global optimization. This algorithm is inspired by the bat's echolocation behavior, in particular, focusing on the way they change the wavelength and frequency of the emitted sound wave while looking for prey. The role-based search is developed to improve the global and local search capability of Yang's Bat Algorithm. In the DVBA, there are just two bats that are dynamically switching roles from the explorer bat to the exploiter bat according to their position. DVBA has been evaluated, in comparison with standard Particle Swarm Optimization (PSO) and standard Bat Algorithm (BA) on a number of mathematical benchmark functions. Experimental results show that the DVBA can provide superior performance than BA and PSO in optimizing these benchmark functions, mainly, in terms of its accuracy and robustness

A novel meta-heuristic algorithm: dynamic virtual bats algorithm

Nature-inspired algorithms are a very important part of meta-heuristics. A novel nature inspired algorithm called the Dynamic Virtual Bats Algorithm (DVBA) is presented in this paper. DVBA is inspired by a bat’s ability to manipulate frequency and wavelength of the emitted sound waves when hunting. A role based search has been developed to improve the diversification and intensification capability of Bat Algorithm. In the DVBA, there are only two bats: explorer and exploiter bat. While the explorer bat explores the search space, the exploiter bat makes an intensive search of the local with the highest probability of locating the desired target. Depending on their location, bats exchange the roles dynamically. The performance of the DVBA is extensively evaluated on a suite of 30 bound-constrained optimization problems from CEC 2014 and compared favorably with other well-known meta-heuristics algorithms. The experimental results demonstrated that the proposed DVBA outperform, or is comparable to, its competitors in terms of the quality of final solution and its convergence rates

Large scale continuous global optimization based on micro differential evolution with local directional search

Over the years, many optimization algorithms have been developed to solve large-scale optimization problems accurately and efficiently. In this regard, Memetic Algorithms offer robust and efficient framework that hybridizes the Evolutionary Algorithms with a local heuristic search. In this work, we propose micro Differential Evolution with a Directional Local Search (µDSDE) algorithm using a small population size to solve large scale continuous optimization problems. In this technique, the best individual retains its position, the second best individual undergoes mutation and crossover processes of DE, and the rest are reinitialized on the search space. Exploration of the search is carried out with the dispersal of the worst individuals whereas exploitation is performed through DE operators and Directional Local Search (DLS). We conducted extensive empirical studies using two test suites on Large Scale Global Optimization benchmark with up to 5000 dimensions. The results show that µDSDE considerably outperforms existing solutions in terms of the convergence rate and solution quality

Dynamic virtual bats algorithm (DVBA) for minimization of supply chain cost with embedded risk

Dynamic Virtual Bats Algorithm (DVBA) is a new optimization algorithm, which is tested on several benchmark functions for global optimization. However it has not been tested on a real world problem yet. In this paper DVBA has been applied to minimize the supply chain cost with other well known algorithms, Particle Swarm Optimization (PSO), Bat Algorithm (BA), Genetic Algorithm (GA) and Tabu Search (TS). Optimization of supply chain is considered as a real challenge by researchers because of its complexity. Big number of parameters to be controlled and their distributions, interconnections between parameters and dynamism are the main factors that increase the complexity of a supply chain. The result of the case study showed that the DVBA is much superior to other algorithms in terms of accuracy and efficiency. © 2014 IEEE

Creating High-Resolution Adversarial Images Against Convolutional Neural Networks with the Noise Blowing-Up Method

peer reviewedConvolutional Neural Networks (CNNs) are widely used for image recognition tasks but are vulnerable to attacks. Most existing attacks create adversarial images of a size equal to the CNN’s input size; mainly because creating adversarial images in the high-resolution domain leads to substantial speed, adversity, and visual quality challenges. In a previous work, we developed a method that lifts any existing attack working efficiently in the CNN’s input size domain to the high-resolution domain. This method successfully addressed the first two challenges but only partially addressed the third one. The present article provides a crucial refinement of this strategy that, while keeping all its other features, substantially increases the visual quality of the obtained high-resolution adversarial images. The refinement amounts to a blowing-up to the high-resolution domain of the adversarial noise created in the low-resolution domain. Adding this blown-up noise to the clean original high-resolution image leads to an almost indistinguishable high-resolution adversarial image. The noise blowing-up strategy is successfully tested on an evolutionary-based black-box targeted attack against VGG-16 trained on ImageNet, with 10 high-resolution clean images