Menu
Publications
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
Editor-in-Chief
![](/pic/nikiforov.jpg)
Nikiforov
Vladimir O.
D.Sc., Prof.
Partners
doi: 10.17586/2226-1494-2024-24-3-490-499
An approach to detecting L0-optimized attacks on image processing neural networks via means of mathematical statistics
Read the full article
![](/images/pdf.png)
Article in English
For citation:
Abstract
For citation:
Esipov D.A. An approach to detecting L0-optimized attacks on image processing neural networks via means of mathematical statistics. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2024, vol. 24, no. 3, pp. 490–499. doi: 10.17586/2226-1494-2024-24-3-490-499
Abstract
Artificial intelligence has become widespread in image processing tasks. At the same time, the number of vulnerabilities is increasing in systems implementing these artificial intelligence technologies (the attack surface is increasing). The main threats to information security can be implemented by introducing malicious perturbations into the input data, regardless of their type. To detect such attacks, approaches and methods have been developed based, in particular, on the use of an auto-encoder or the analysis of layers of the target neural network. The disadvantage of existing methods, which significantly reduce the scope of their application, is binding to the dataset or model architecture. This paper discusses the issues of expanding the scope (increasing scalability) of methods for detecting L0-optimized perturbations introduced by unconventional pixel attacks. An approach to detecting these attacks using statistical analysis of input data, regardless of the model and dataset, is proposed. It is assumed that the pixels of the perturbation embedded in the image, as a result of the L0-optimized attack, will be considered both local and global outliers. Outlier detection is performed using statistical metrics such as deviation from nearest neighbors and Mahalanobis distance. The evaluation of each pixel (anomaly score) is performed as a product of the specified metrics. A threshold clipping algorithm is used to detect an attack. When a pixel is detected for which the received score exceeds a certain threshold, the image is recognized as distorted. The approach was tested on the CIFAR-10 and MNIST datasets. The developed method has demonstrated high accuracy in detecting attacks. On the CIFAR-10 dataset, the accuracy of detecting onepixel attack (accuracy) was 94.3 %, and when detecting a Jacobian based Saliency Map Attack (JSMA) — 98.3 %. The proposed approach is also applicable in the detection of modified pixels. The proposed approach is applicable for detecting one-pixel attacks and JSMA, but can potentially be used for any L0-optimized distortions. The approach is applicable for color and grayscale images regardless of the dataset. The proposed approach is potentially universal for the architecture of a neural network, since it uses only input data to detect attacks. The approach can be used to detect images modified by unconventional adversarial attacks in the training sample before the model is formed.
Keywords: artificial neural network, image processing, adversarial attack, pseudonorm L0, malicious perturbation, one-pixel attack, Jacobian Saliency Map Attack
References
References
- Esipov D.A., Buchaev A.Y., Kerimbay A., Puzikova Y.V., Saidumarov S.K., Sulimenko N.S., Popov I.Yu., Karmanovskiy N.S. Attacks based on malicious perturbations on image processing systems and defense methods against them. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2023, vol. 23, no. 4, pp. 720–733. (in Russian). https://doi.org/10.17586/2226-1494-2023-23-4-720-733
- Sarvamangala D.R., Kulkarni R.V. Convolutional neural networks in medical image understanding: a survey. Evolutionary Intelligence, 2022, vol. 15, no. 1, pp. 1–22. https://doi.org/10.1007/s12065-020-00540-3
- Mahmood M., Al-Khateeb B., Alwash W. A review on neural networks approach on classifying cancers. IAES International Journal of Artificial Intelligence, 2020, vol. 9, no. 2, pp. 317–326. https://doi.org/10.11591/ijai.v9.i2.pp317-326
- Almabdy S., Elrefaei L. Deep convolutional neural network-based approaches for face recognition. Applied Sciences, 2019, vol. 9, no. 20, pp. 4397. https://doi.org/10.3390/app9204397
- Khan M.Z., Harous S., Hassan S.U., Khan M.U.G., Iqbal R., Mumtaz S. Deep unified model for face recognition based on convolution neural network and edge computing. IEEE Access, 2019, vol. 7, pp. 72622–72633. https://doi.org/10.1109/ACCESS.2019.2918275
- Zhang Y., Shi D., Zhan X., Cao D., Zhu K., Li Z. Slim-ResCNN: A deep residual convolutional neural network for fingerprint liveness detection. IEEE Access, 2019, vol. 7, pp. 91476–91487. https://doi.org/10.1109/ACCESS.2019.2927357
- Severino A., Curto S., Barberi S., Arena F., Pau G. Autonomous vehicles: an analysis both on their distinctiveness and the potential impact on urban transport systems. Applied Sciences, 2021, vol. 11, no. 8, pp. 3604. https://doi.org/10.3390/app11083604
- Wang L., Fan X., Chen J., Cheng J., Tan J., Ma X. 3D object detection based on sparse convolution neural network and feature fusion for autonomous driving in smart cities. Sustainable Cities and Society, 2020, vol. 54, pp. 102002. https://doi.org/10.1016/j.scs.2019.102002
- Chen L., Lin S., Lu X., Cao D., Wu H., Guo C., Liu C., Wang F.Y. Deep neural network based vehicle and pedestrian detection for autonomous driving: A survey. IEEE Transactions on Intelligent Transportation Systems, 2021, vol. 22. no. 6, pp. 3234–3246. https://doi.org/10.1109/TITS.2020.2993926
- Szegedy C., Zaremba W., Sutskever I., Bruna J., Erhan D., Goodfellow I., Fergus R. Intriguing properties of neural networks. arXiv, 2013, arXiv:1312.6199, https://doi.org/10.48550/arXiv.1312.6199
- Akhtar N., Mian A., Kardan N., Shah M. Advances in adversarial attacks and defenses in computer vision: A survey. IEEE Access, 2021, vol. 9, pp. 155161–155196. https://doi.org/10.1109/ACCESS.2021.3127960
- Huang X., Kroening D., Ruan W., Sharp J., Sun Y., Thamo E., Wu M., Yi X. A survey of safety and trustworthiness of deep neural networks: Verification, testing, adversarial attack and defence, and interpretability. Computer Science Review, 2020, vol. 37, pp. 100270. https://doi.org/10.1016/j.cosrev.2020.100270
- Su J., Vargas D.V., Sakurai K. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 2019, vol. 23, no. 5, pp. 828–841. https://doi.org/10.1109/TEVC.2019.2890858
- Papernot N., McDaniel P., Jha S., Fredrikson M., Celik Z.B., Swami A. The limitations of deep learning in adversarial settings. Proc. of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 2016, pp. 372–387. https://doi.org/10.1109/EuroSP.2016.36
- Karmon D., Zoran D., Goldberg Y. Lavan: Localized and visible adversarial noise. Proceedings of Machine Learning Research, 2018, vol. 80, pp. 2507–2515.
- Das S., Suganthan P.N. Differential evolution: A survey of the state-of-the-art. IEEE Transactions on Evolutionary Computation, 2011, vol. 15, no. 1, pp. 4–31. https://doi.org/10.1109/TEVC.2010.2059031
- Nguyen-Son H.Q., Thao T.P., Hidano S., Bracamonte V., Kiyomoto S., Yamaguchi R.S. OPA2D: One-pixel attack, detection, and defense in deep neural networks. Proc. of the 2021 International Joint Conference on Neural Networks (IJCNN), 2021, pp. 1–10. https://doi.org/10.1109/IJCNN52387.2021.9534332
- Alatalo J., Sipola T., Kokkonen T. Detecting one-pixel attacks using variational autoencoders. Lecture Notes in Networks and Systems, 2022, vol. 468, pp. 611–623. https://doi.org/10.1007/978-3-031-04826-5_60
- Wang P., Cai Z., Kim D., Li W. Detection mechanisms of one-pixel attack. Wireless Communications and Mobile Computing, 2021, vol. 2021, pp. 1–8. https://doi.org/10.1155/2021/8891204
- Grosse K., Manoharan P., Papernot N., Backes M., McDaniel P. On the (statistical) detection of adversarial examples. arXiv, 2017, arXiv:1702.06280, https://doi.org/10.48550/arXiv.1702.06280
- Guo F., Zhao Q., Li X., Kuang X., Zhang J., Han Y., Tan Y.A. Detecting adversarial examples via prediction difference for deep neural networks. Information Sciences, 2019, vol. 501, pp. 182–192. https://doi.org/10.1016/j.ins.2019.05.084
- Goodfellow I.J., Shlens J., Szegedy C. Explaining and harnessing adversarial examples. arXiv, 2014, arXiv:1412.6572. https://doi.org/10.48550/arXiv.1412.6572
- McLachlan G.J. Mahalanobis distance. Resonance, 1999, vol. 4, no. 6, pp. 20–26. https://doi.org/10.1007/bf02834632
- Curtis A.E., Smith T.A., Ziganshin B.A., Elefteriades J.A. The mystery of the Z-score. Aorta, 2016, vol. 4, no. 4, pp. 124–130. https://doi.org/10.12945/j.aorta.2016.16.014
- Zhong H., Liao C., Squicciarini A., Zhu S., Miller D. Backdoor embedding in convolutional neural network models via invisible perturbation. Proc. of the Tenth ACM Conference on Data and Application Security and Privacy, 2020, pp. 97–108. https://doi.org/10.1145/3374664.3375751