Adversarial Machine Learning: A Systematic Survey of Backdoor Attack, Weight Attack and Adversarial Example

Liu, Li; Zhu, Zhihong; Liu, Qingshan; He, Zhaofeng; Lyu, Siwei

doi:10.48550/arxiv.2302.09457

Cited by 4 publications

(7 citation statements)

References 176 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Backdoor attack is firstly proposed in 2D image domain (Gu, Dolan-Gavitt, and Garg 2017). Then, a lot of attacks was developed (Zhao et al 2022;Wu et al 2023;Feng et al 2022;Yuan et al 2023;Doan et al 2023). However, due to data format restriction, attacks for 2D image cannot directly apply to 3D point cloud.…”

Section: Related Workmentioning

confidence: 99%

Invisible Backdoor Attack against 3D Point Cloud Classifier in Graph Spectral Domain

Fan,

He,

et al. 2024

AAAI

View full text Add to dashboard Cite

3D point cloud has been wildly used in security crucial domains, such as self-driving and 3D face recognition. Backdoor attack is a serious threat that usually destroy Deep Neural Networks (DNN) in the training stage. Though a few 3D backdoor attacks are designed to achieve guaranteed attack efficiency, their deformation will alarm human inspection. To obtain invisible backdoored point cloud, this paper proposes a novel 3D backdoor attack, named IBAPC, which generates backdoor trigger in the graph spectral domain. The effectiveness is grounded by the advantage of graph spectral signal that it can induce both global structure and local points to be responsible for the caused deformation in spatial domain. In detail, a new backdoor implanting function is proposed whose aim is to transform point cloud to graph spectral signal for conducting backdoor trigger. Then, we design a backdoor training procedure which updates the parameter of backdoor implanting function and victim 3D DNN alternately. Finally, the backdoored 3D DNN and its associated backdoor implanting function is obtained by finishing the backdoor training procedure. Experiment results suggest that IBAPC achieves SOTA attack stealthiness from three aspects including objective distance measurement, subjective human evaluation, graph spectral signal residual. At the same time, it obtains competitive attack efficiency. The code is available at https://github.com/f-lk/IBAPC.

show abstract

Section: Related Workmentioning

confidence: 99%

Invisible Backdoor Attack against 3D Point Cloud Classifier in Graph Spectral Domain

Fan,

He,

et al. 2024

AAAI

View full text Add to dashboard Cite

show abstract

“…Consequently, the proposed vicinage-attack can be seen as a vulnerability test for trust systems. Reference [40] outlines three basic conditions for adversarial attacks: stealthiness, consistency, and inconsistency. The vulnerability of a trust system is also reflected in these three aspects.…”

Section: Vulnerability Testing On Trust Systemmentioning

confidence: 99%

Unleashing the Power of Indirect Attacks against Trust Prediction via Preferential Path

Bu,

Zhu,

Geng

et al. 2023

Preprint

View full text Add to dashboard Cite

In the realm of network security, adversarial attacks pose a significant threat, prompting research into innovative strategies for enhancing both attack and defense mechanisms. This paper presents a novel exploration into the enhancement of adversarial attacks on Fairness and Goodness Algorithm (FGA) and Review to Reviewer (REV2), focusing on trust prediction within signed graphs. In contrast to traditional time-based dynamics, the trust propagation in FGA and REV2 is grounded on iterative processes. Through meticulous analysis of network structures, this research uncovers the strong ties and weak ties within FGA. Additionally , it reveals the existence of preferential paths in REV2, which significantly influence the spread of information during algorithm iterations. Leveraging these revelations, we introduce a novel approach known as vicinage-attack designed to bolster adversarial attacks by strategically targeting edges along these influential pathways. The significance of this work lies in identifying adversarial perturbation patterns that impact trust prediction on signed graphs, shedding light on their pervasive influence. Our findings not only contribute to the advancement of adver-sarial attack techniques but also lay the foundation for a deeper understanding of trust propagation patterns. By elucidating the propagation bias within FGA and REV2, this research offers new insights for both network security strategies and adversarial mitigation techniques in trust prediction.

show abstract

“…For instance, a model could yield significantly different predictions on two visually similar images, with one being perturbed by malicious and imperceptible noises [15], [16], whereas a human's prediction would remain unaffected by such noises. We refer to this phenomenon as the adversarial phenomenon or adversarial attack, signifying the inherent adversarial relationship between DL models and human perception [28].…”

Section: A Background Knowledgementioning

confidence: 99%

“…To comprehensively assess the robustness of these models, we conducted rigorous experiments involving a diverse set of classifiers and detectors, representing a wide range of mainstream methods. Through this extensive evaluation, we have uncovered insightful and intriguing findings that illuminate the relationship between the crafting of [32] IEEE Access ✓ ✕ ✕ ✕ ✕ ✕ 2018 [34] Computer Science Review ✓ ✕ ✕ ✕ ✕ ✕ 2018 [31] arXiv ✓ ✕ ✕ ✕ ✕ ✕ 2019 [33] Applied Science ✓ ✕ ✕ ✕ ✕ ✕ 2020 [42] ACM Computing Surveys ✓ ✕ ✕ ✕ ✕ ✕ 2021 [35] IEEE Access ✓ ✕ ✕ ✕ ✕ ✕ 2021 [41] ACM Computing Surveys ✓ ✕ ✕ ✕ ✕ ✕ 2021 [40] TII ✓ ✕ ✕ ✕ ✕ ✕ 2022 [47] arXiv ✓ * ✕ ✕ ✕ ✕ 2022 [48] INJOIT ✓ ✕ ✕ ✕ ✕ ✕ 2022 [49] Artificial Intelligence Review ✓ ✕ ✓ ✕ ✓ ✕ 2022 [39] TPAMI ✓ ✕ ✕ ✕ ✕ ✕ 2022 [38] TII ✕ ✕ ✕ ✕ ✕ ✕ 2022 [49] arXiv ✓ * ✕ ✕ ✕ ✕ 2022 [25] arXiv ✓ ✕ ✕ ✕ ✕ ✕ 2022 [44] arXiv ✓ * ✕ ✕ ✕ ✕ 2022 [45] arXiv * ✓ ✕ ✕ ✕ ✕ 2022 [37] Neurocomputing ✓ ✕ ✕ ✕ ✕ ✕ 2023 [50] ACM Computing Surveys * ✕ ✕ ✕ ✕ ✕ 2023 [28] arXiv ✓ ✕ ✕ ✕ ✕ ✕ 2023 [46] ICAI * ✓ ✕ ✕ ✕ ✕ Benchmarks 2020 [29] CVPR ✕ ✕ ✓ ✕ ✓ ✕ 2021 [27] arXiv ✕ ✕ ✓ ✕ ✓ ✓ 2022 [51] IJCAI ✕ ✕ ✕ ✓ ✓ ✕ 2022 [26] NIPS ✕ ✕ ✓ ✕ ✓ ✕ 2022 [52] arXiv ✕ ✕ ✕ ✓ ✓ ✕ 2022 [36] Pattern Recognition ✕ ✕ ✓ ✕ ✓ ✕ 2023 [30] arXiv ✕ ✕ ✓ ✕ ✓ ✓ 2023 [53] Pattern Recognition ✕ ✕ ✓ ✕ ✓ ✕ 2023 [54] CVPR…”

Section: Introductionmentioning

confidence: 99%

Benchmarking Adversarial Patch Against Aerial Detection

Lian

Mei

Zhang

et al. 2022

IEEE Trans. Geosci. Remote Sensing

View full text Add to dashboard Cite

Deep neural networks (DNNs) have found widespread applications in interpreting remote sensing (RS) imagery. However, it has been demonstrated in previous works that DNNs are vulnerable to different types of noises, particularly adversarial noises. Surprisingly, there has been a lack of comprehensive studies on the robustness of RS tasks, prompting us to undertake a thorough survey and benchmark on the robustness of image classification and object detection in RS. To our best knowledge, this study represents the first comprehensive examination of both natural robustness and adversarial robustness in RS tasks. Specifically, we have curated and made publicly available datasets that contain natural and adversarial noises. These datasets serve as valuable resources for evaluating the robustness of DNNs-based models. To provide a comprehensive assessment of model robustness, we conducted meticulous experiments with numerous different classifiers and detectors, encompassing a wide range of mainstream methods. Through rigorous evaluation, we have uncovered insightful and intriguing findings, which shed light on the relationship between adversarial noise crafting and model training, yielding a deeper understanding of the susceptibility and limitations of various models, and providing guidance for the development of more resilient and robust models

show abstract

Adversarial Machine Learning: A Systematic Survey of Backdoor Attack, Weight Attack and Adversarial Example

Cited by 4 publications

References 176 publications

Invisible Backdoor Attack against 3D Point Cloud Classifier in Graph Spectral Domain

Invisible Backdoor Attack against 3D Point Cloud Classifier in Graph Spectral Domain

Unleashing the Power of Indirect Attacks against Trust Prediction via Preferential Path

Benchmarking Adversarial Patch Against Aerial Detection

Contact Info

Product

Resources

About