ENG
РУС
Search
Menu
About the Edition
Open Access Statement
Editorial Board
Editorial Policy
Editorial Ethics
Rules for peer-review
Rules for presentation of papers
Forms of Submitted Documents
Recommendations for the Design of References to Our Journal
Editorial Staff
Information for Subscribers
Summaries of the Issue
List of Authors
Issues
Publishers license agreement
Procedure of work with personal data
Publications
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
Editor-in-Chief

Nikiforov
Vladimir O.
D.Sc., Prof.
Partners













































doi: 10.17586/2226-1494-2024-24-3-490-499

An approach to detecting L0-optimized attacks on image processing neural networks via means of mathematical statistics

D. A. Esipov


Read the full article  ';
Article in English

For citation:
Esipov D.A. An approach to detecting L0-optimized attacks on image processing neural networks via means of mathematical statistics. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2024, vol. 24, no. 3, pp. 490–499. doi: 10.17586/2226-1494-2024-24-3-490-499


Abstract
Artificial intelligence has become widespread in image processing tasks. At the same time, the number of vulnerabilities is increasing in systems implementing these artificial intelligence technologies (the attack surface is increasing). The main threats to information security can be implemented by introducing malicious perturbations into the input data, regardless of their type. To detect such attacks, approaches and methods have been developed based, in particular, on the use of an auto-encoder or the analysis of layers of the target neural network. The disadvantage of existing methods, which significantly reduce the scope of their application, is binding to the dataset or model architecture. This paper discusses the issues of expanding the scope (increasing scalability) of methods for detecting L0-optimized perturbations introduced by unconventional pixel attacks. An approach to detecting these attacks using statistical analysis of input data, regardless of the model and dataset, is proposed. It is assumed that the pixels of the perturbation embedded in the image, as a result of the L0-optimized attack, will be considered both local and global outliers. Outlier detection is performed using statistical metrics such as deviation from nearest neighbors and Mahalanobis distance. The evaluation of each pixel (anomaly score) is performed as a product of the specified metrics. A threshold clipping algorithm is used to detect an attack. When a pixel is detected for which the received score exceeds a certain threshold, the image is recognized as distorted. The approach was tested on the CIFAR-10 and MNIST datasets. The developed method has demonstrated high accuracy in detecting attacks. On the CIFAR-10 dataset, the accuracy of detecting onepixel attack (accuracy) was 94.3 %, and when detecting a Jacobian based Saliency Map Attack (JSMA) — 98.3 %. The proposed approach is also applicable in the detection of modified pixels. The proposed approach is applicable for detecting one-pixel attacks and JSMA, but can potentially be used for any L0-optimized distortions. The approach is applicable for color and grayscale images regardless of the dataset. The proposed approach is potentially universal for the architecture of a neural network, since it uses only input data to detect attacks. The approach can be used to detect images modified by unconventional adversarial attacks in the training sample before the model is formed. 

Keywords: artificial neural network, image processing, adversarial attack, pseudonorm L0, malicious perturbation, one-pixel attack, Jacobian Saliency Map Attack

References
  1. Esipov D.A., Buchaev A.Y., Kerimbay A., Puzikova Y.V., Saidumarov S.K., Sulimenko N.S., Popov I.Yu., Karmanovskiy N.S. Attacks based on malicious perturbations on image processing systems and defense methods against them. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2023, vol. 23, no. 4, pp. 720–733. (in Russian). https://doi.org/10.17586/2226-1494-2023-23-4-720-733
  2. Sarvamangala D.R., Kulkarni R.V. Convolutional neural networks in medical image understanding: a survey. Evolutionary Intelligence, 2022, vol. 15, no. 1, pp. 1–22. https://doi.org/10.1007/s12065-020-00540-3
  3. Mahmood M., Al-Khateeb B., Alwash W. A review on neural networks approach on classifying cancers. IAES International Journal of Artificial Intelligence, 2020, vol. 9, no. 2, pp. 317–326. https://doi.org/10.11591/ijai.v9.i2.pp317-326
  4. Almabdy S., Elrefaei L. Deep convolutional neural network-based approaches for face recognition. Applied Sciences, 2019, vol. 9, no. 20, pp. 4397. https://doi.org/10.3390/app9204397
  5. Khan M.Z., Harous S., Hassan S.U., Khan M.U.G., Iqbal R., Mumtaz S. Deep unified model for face recognition based on convolution neural network and edge computing. IEEE Access, 2019, vol. 7, pp. 72622–72633. https://doi.org/10.1109/ACCESS.2019.2918275
  6. Zhang Y., Shi D., Zhan X., Cao D., Zhu K., Li Z. Slim-ResCNN: A deep residual convolutional neural network for fingerprint liveness detection. IEEE Access, 2019, vol. 7, pp. 91476–91487. https://doi.org/10.1109/ACCESS.2019.2927357
  7. Severino A., Curto S., Barberi S., Arena F., Pau G. Autonomous vehicles: an analysis both on their distinctiveness and the potential impact on urban transport systems. Applied Sciences, 2021, vol. 11, no. 8, pp. 3604. https://doi.org/10.3390/app11083604
  8. Wang L., Fan X., Chen J., Cheng J., Tan J., Ma X. 3D object detection based on sparse convolution neural network and feature fusion for autonomous driving in smart cities. Sustainable Cities and Society, 2020, vol. 54, pp. 102002. https://doi.org/10.1016/j.scs.2019.102002
  9. Chen L., Lin S., Lu X., Cao D., Wu H., Guo C., Liu C., Wang F.Y. Deep neural network based vehicle and pedestrian detection for autonomous driving: A survey. IEEE Transactions on Intelligent Transportation Systems, 2021, vol. 22. no. 6, pp. 3234–3246. https://doi.org/10.1109/TITS.2020.2993926
  10. Szegedy C., Zaremba W., Sutskever I., Bruna J., Erhan D., Goodfellow I., Fergus R. Intriguing properties of neural networks. arXiv, 2013, arXiv:1312.6199, https://doi.org/10.48550/arXiv.1312.6199
  11. Akhtar N., Mian A., Kardan N., Shah M. Advances in adversarial attacks and defenses in computer vision: A survey. IEEE Access, 2021, vol. 9, pp. 155161–155196. https://doi.org/10.1109/ACCESS.2021.3127960
  12. Huang X., Kroening D., Ruan W., Sharp J., Sun Y., Thamo E., Wu M., Yi X. A survey of safety and trustworthiness of deep neural networks: Verification, testing, adversarial attack and defence, and interpretability. Computer Science Review, 2020, vol. 37, pp. 100270. https://doi.org/10.1016/j.cosrev.2020.100270
  13. Su J., Vargas D.V., Sakurai K. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 2019, vol. 23, no. 5, pp. 828–841. https://doi.org/10.1109/TEVC.2019.2890858
  14. Papernot N., McDaniel P., Jha S., Fredrikson M., Celik Z.B., Swami A. The limitations of deep learning in adversarial settings. Proc. of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 2016, pp. 372–387. https://doi.org/10.1109/EuroSP.2016.36
  15. Karmon D., Zoran D., Goldberg Y. Lavan: Localized and visible adversarial noise. Proceedings of Machine Learning Research, 2018, vol. 80, pp. 2507–2515.
  16. Das S., Suganthan P.N. Differential evolution: A survey of the state-of-the-art. IEEE Transactions on Evolutionary Computation, 2011, vol. 15, no. 1, pp. 4–31. https://doi.org/10.1109/TEVC.2010.2059031
  17. Nguyen-Son H.Q., Thao T.P., Hidano S., Bracamonte V., Kiyomoto S., Yamaguchi R.S. OPA2D: One-pixel attack, detection, and defense in deep neural networks. Proc. of the 2021 International Joint Conference on Neural Networks (IJCNN), 2021, pp. 1–10. https://doi.org/10.1109/IJCNN52387.2021.9534332
  18. Alatalo J., Sipola T., Kokkonen T. Detecting one-pixel attacks using variational autoencoders. Lecture Notes in Networks and Systems, 2022, vol. 468, pp. 611–623. https://doi.org/10.1007/978-3-031-04826-5_60
  19. Wang P., Cai Z., Kim D., Li W. Detection mechanisms of one-pixel attack. Wireless Communications and Mobile Computing, 2021, vol. 2021, pp. 1–8. https://doi.org/10.1155/2021/8891204
  20. Grosse K., Manoharan P., Papernot N., Backes M., McDaniel P. On the (statistical) detection of adversarial examples. arXiv, 2017, arXiv:1702.06280, https://doi.org/10.48550/arXiv.1702.06280
  21. Guo F., Zhao Q., Li X., Kuang X., Zhang J., Han Y., Tan Y.A. Detecting adversarial examples via prediction difference for deep neural networks. Information Sciences, 2019, vol. 501, pp. 182–192. https://doi.org/10.1016/j.ins.2019.05.084
  22. Goodfellow I.J., Shlens J., Szegedy C. Explaining and harnessing adversarial examples. arXiv, 2014, arXiv:1412.6572. https://doi.org/10.48550/arXiv.1412.6572
  23. McLachlan G.J. Mahalanobis distance. Resonance, 1999, vol. 4, no. 6, pp. 20–26. https://doi.org/10.1007/bf02834632
  24. Curtis A.E., Smith T.A., Ziganshin B.A., Elefteriades J.A. The mystery of the Z-score. Aorta, 2016, vol. 4, no. 4, pp. 124–130. https://doi.org/10.12945/j.aorta.2016.16.014
  25. Zhong H., Liao C., Squicciarini A., Zhu S., Miller D. Backdoor embedding in convolutional neural network models via invisible perturbation. Proc. of the Tenth ACM Conference on Data and Application Security and Privacy, 2020, pp. 97–108. https://doi.org/10.1145/3374664.3375751


Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License
Copyright 2001-2024 ©
Scientific and Technical Journal
of Information Technologies, Mechanics and Optics.
All rights reserved.

Яндекс.Метрика