DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model

Xiang, Ling; Ji, Shouling; Zou, Jiaxu; Wang, Jiannan; Wu, Chunming; Li, Bo; Wang, Ting

doi:10.1109/sp.2019.00023

Cited by 122 publications

(98 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We then perform adversarial training using 1 , 2 , ... and , yielding 1 , 2 , ... and , respectively, just like fixing software bugs disclosed by new test inputs. Then we use existing methods [37] to measure model robustness and study the correlations between robustness and coverage. Ideally, we would expect to see these models have increasing levels of robustness.…”

Section: Research Questionsmentioning

confidence: 99%

“…They fall into three categories: model accuracy in the presence of adversarial examples, adversarial example impreceptiblity that measures if an adversarial example looks natural, and adversarial example robustness. These are the metrics commonly used by adversarial machine learning [37,39]. Details are explained in the subsections.…”

Section: Dnn Model Quality Metricsmentioning

confidence: 99%

See 1 more Smart Citation

Correlations between deep neural network model coverage criteria and model quality

Yan

Tao

Liu

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

Section: Research Questionsmentioning

confidence: 99%

Section: Dnn Model Quality Metricsmentioning

confidence: 99%

Correlations between deep neural network model coverage criteria and model quality

Yan

Tao

Liu

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

“…However, such models are inherently vulnerable to adversarial inputs, which are maliciously crafted samples (typically by adding human-imperceptible noise to legitimate samples) to trigger target models to misbehave [17,47]. Despite the plethora of work on the image domain [24,28,32,34,45,56] and text domain [30,31], the research of adversarial attacks on the audio domain is still limited, due to a number of non-trivial challenges. First, the acoustic systems need to deal with information changes in the time dimension, which is more complex than image classication systems.…”

Section: Introductionmentioning

confidence: 99%

SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Despite their immense popularity, deep learning-based acoustic systems are inherently vulnerable to adversarial attacks, wherein maliciously crafted audios trigger target systems to misbehave. In this paper, we present SA, a new class of attacks to generate adversarial audios. Compared with existing attacks, SA highlights with a set of signicant features: (i) versatile-it is able to deceive a range of end-to-end acoustic systems under both white-box and black-box settings; (ii) eective-it is able to generate adversarial audios that can be recognized as specic phrases by target acoustic systems; and (iii) stealthy-it is able to generate adversarial audios indistinguishable from their benign counterparts to human perception. We empirically evaluate SA on a set of state-of-the-art deep learning-based acoustic systems (including speech command recognition, speaker recognition and sound event classication), with results showing the versatility, eectiveness, and stealthiness of SA. For instance, it achieves 99.45% attack success rate on the IEMOCAP dataset against the ResNet18 model, while the generated adversarial audios are also misinterpreted by multiple popular ASR platforms, including Google Cloud Speech, Microsoft Bing Voice, and IBM Speech-to-Text. We further evaluate three potential defense methods to mitigate such attacks, which leads to promising directions for further research.

show abstract

“…Another line of work attempts to improve DNN resilience against adversarial attacks by devising new training strategies (e.g., adversarial training) [22,28,39,49] or detection mechanisms [19,33,35,53]. However, the existing defenses are often penetrated or circumvented by even stronger attacks [2,30], resulting in a constant arms race between the attackers and defenders.…”

Section: Related Workmentioning

confidence: 99%

A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models

Pang

Shen

Zhang

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Despite their tremendous success in a range of domains, deep learning systems are inherently susceptible to two types of manipulations: adversarial inputs-maliciously crafted samples that deceive target deep neural network (DNN) models, and poisoned models-adversely forged DNNs that misbehave on pre-defined inputs. While prior work has intensively studied the two attack vectors in parallel, there is still a lack of understanding about their fundamental connections: what are the dynamic interactions between the two attack vectors? what are the implications of such interactions for optimizing existing attacks? what are the potential countermeasures against the enhanced attacks? Answering these key questions is crucial for assessing and mitigating the holistic vulnerabilities of DNNs deployed in realistic settings. Here we take a solid step towards this goal by conducting the first systematic study of the two attack vectors within a unified framework. Specifically, (i) we develop a new attack model that jointly optimizes adversarial inputs and poisoned models; (ii) with both analytical and empirical evidence, we reveal that there exist intriguing "mutual reinforcement" effects between the two attack vectors-leveraging one vector significantly amplifies the effectiveness of the other; (iii) we demonstrate that such effects enable a large design spectrum for the adversary to enhance the existing attacks that exploit both vectors (e.g., backdoor attacks), such as maximizing the attack evasiveness with respect to various detection methods; (iv) finally, we discuss potential countermeasures against such optimized attacks and their technical challenges, pointing to several promising research directions.

show abstract

DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model

Cited by 122 publications

References 32 publications

Correlations between deep neural network model coverage criteria and model quality

Correlations between deep neural network model coverage criteria and model quality

SirenAttack: Generating Adversarial Audio for End-to-End Acoustic Systems

A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models

Contact Info

Product

Resources

About