Defense Methods Against Adversarial Examples for Recurrent Neural Networks

Rosenberg, Ishai; Shabtai, Asaf; Elovici, Yuval; Rokach, Lior

doi:10.48550/arxiv.1901.09963

Cited by 12 publications

(22 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The topic is relatively less studied in the text domain [29]. Other than detection using a spell-checker, to the best of our knowledge, the only approach is the one mentioned in [34], which focuses on re-training for improving robustness rather than detecting adversarial texts. In our work, we propose a detection method which is inspired by differential testing [49].…”

Section: Adversarial Text Detectionmentioning

confidence: 99%

“…To the best of our knowledge, there are no existing methods or tools which are available for detecting adversarial texts. Note that the tool mentioned in [34] is not available.…”

Section: Rq1: Is Kl Divergence Useful In Detecting Adversarial Samples?mentioning

confidence: 99%

“…Existing detection methods for adversarial perturbation mainly focuses on the image domain [27], [28], [29], [30]. Recently, Rosenberg et al devised a method to detect adversarial texts for Recurrent Neural Networks [34]. The idea is to compare the confidence scores of the original input and its squeezed variant.…”

Section: Related Workmentioning

confidence: 99%

“…This work is related to work on defending adversarial perturbation, which mainly focus on the image domain, e.g., adversarial training [11], [69] and robust optimization [19]. Rosenberg et al [34] presented several defense methods for adversarial texts, like adversarial training in the text domain or training ensemble models. Pruthi et al [65] proposed to place an auxiliary model before the classifier.…”

Section: Related Workmentioning

confidence: 99%

“…Rejection is however not always feasible or ideal. First, existing detection algorithms often generate a nonnegligible amount of false alarms [29], [30], particularly so for the simple detection algorithms proposed for adversarial texts [34]. Second, rejection may not be an option for certain applications.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Repairing Adversarial Texts through Perturbation

Dong¹,

Wang²,

Sun³

et al. 2022

Preprint

View full text Add to dashboard Cite

It is known that neural networks are subject to attacks through adversarial perturbations, i.e., inputs which are maliciously crafted through perturbations to induce wrong predictions. Furthermore, such attacks are impossible to eliminate, i.e., the adversarial perturbation is still possible after applying mitigation methods such as adversarial training. Multiple approaches have been developed to detect and reject such adversarial inputs, mostly in the image domain. Rejecting suspicious inputs however may not be always feasible or ideal. First, normal inputs may be rejected due to false alarms generated by the detection algorithm. Second, denial-of-service attacks may be conducted by feeding such systems with adversarial inputs. To address the gap, in this work, we propose an approach to automatically repair adversarial texts at runtime. Given a text which is suspected to be adversarial, we novelly apply multiple adversarial perturbation methods in a positive way to identify a repair, i.e., a slightly mutated but semantically equivalent text that the neural network correctly classifies. Our approach has been experimented with multiple models trained for natural language processing tasks and the results show that our approach is effective, i.e., it successfully repairs about 80% of the adversarial texts. Furthermore, depending on the applied perturbation method, an adversarial text could be repaired in as short as one second on average.

show abstract

Section: Adversarial Text Detectionmentioning

confidence: 99%

“…To the best of our knowledge, there are no existing methods or tools which are available for detecting adversarial texts. Note that the tool mentioned in [34] is not available.…”

Section: Rq1: Is Kl Divergence Useful In Detecting Adversarial Samples?mentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Repairing Adversarial Texts through Perturbation

Dong¹,

Wang²,

Sun³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

ARGAN: Adversarially Robust Generative Adversarial Networks for Deep Neural Networks Against Adversarial Examples

et al. 2022

View full text Add to dashboard Cite

An adversarial example, which is an input instance with small, intentional feature perturbations to machine learning models, represents a concrete problem in Artificial intelligence safety. As an emerging defense method to defend against adversarial examples, generative adversarial networks-based defense methods have recently been studied. However, the performance of the state-of-the-art generative adversarial networks-based defense methods is limited because the target deep neural network models with generative adversarial networks-based defense methods are robust against adversarial examples but make a false decision for legitimate input data. To solve the accuracy degradation of the generative adversarial networks-based defense methods for legitimate input data, we propose a new generative adversarial networks-based defense method, which is called Adversarially Robust Generative Adversarial Networks(ARGAN). While converting input data to machine learning models using the two-step transformation architecture, ARGAN learns the generator model to reflect the vulnerability of the target deep neural network model against adversarial examples and optimizes parameter values of the generator model for a joint loss function. From the experimental results under various datasets collected from diverse applications, we show that the accuracy of ARGAN for legitimate input data is good-enough while keeping the target deep neural network model robust against adversarial examples. We also show that the accuracy of ARGAN outperforms the accuracy of the state-of-the-art generative adversarial networks-based defense methods.

show abstract

Implementing ai-driven methodologies for cyberattack detection

Μπουντάκας

View full text Add to dashboard Cite

Η ευρεία επέκταση των ψηφιακών τεχνολογιών και των διαδικτυακών εφαρμογών έχει κάνει τις καθημερινές δραστηριότητες ευκολότερες και πιο διασκεδαστικές. Ωστόσο, οδήγησε στη δημιουργία νέων κυβερνοεγκληματικών ενεργειών καθώς και στην ανάπτυξη εξελιγμένων κυβερνοεπιθέσεων. Αυτό το νέο παράδειγμα έχει κάνει τις παραδοσιακές αμυντικές λύσεις ανίκανες να αντιμετωπίσουν την ανάπτυξη των κυβερνοεπιθέσεων και έτσι έχουν εμφανιστεί νέες άμυνες που εκμεταλλεύονται την αποτελεσματικότητα των συστημάτων Τεχνητής Νοημοσύνης. Παρόλο που η Μηχανική Μάθηση έχει χρησιμοποιηθεί συχνά για τον εντοπισμό και τον μετριασμό των επιθέσεων στον κυβερνοχώρο, η βιβλιογραφία έχει αρκετά κενά και περιορισμούς που είτε καθιστούν τις τρέχουσες λύσεις αναξιόπιστες είτε δύσκολες στην εφαρμογή τους στην πραγματική ζωή. Προς αυτή την κατεύθυνση και προκειμένου να αντιμετωπιστούν οι περιορισμοί των υφιστάμενων ερευνών, η παρούσα διατριβή έχει μελετήσει την ασφάλεια των συστημάτων Τεχνητής Νοημοσύνης, ερευνώντας τις τρέχουσες αμυντικές λύσεις έναντι των επιθέσεων Adversarial Machine Learning και έχει δημιουργήσει μια ταξινόμηση των προσδιορισμένων αμυντικών λύσεων για να διευκολύνει τους ερευνητές να προτείνουν στο μέλλον νέες ισχυρές άμυνες. Αφού αναγνωρίσαμε ότι τα συστήματα Τεχνητής Νοημοσύνης μπορούν να προστατευτούν, αυτή η διατριβή επικεντρώθηκε στο σχεδιασμό και την ανάπτυξη αμυντικών μεθοδολογιών Μηχανικής Μάθησης έναντι δύο γνωστών κυβερνοεπιθέσεων, γνωστών ως phishing και exploit kit. Τα πειραματικά αποτελέσματα έδειξαν ότι οι προτεινόμενες μεθοδολογίες, συνολικά, βελτίωσαν την απόδοση ανίχνευσης επιθέσεων phishing και exploit kit, καταλήγοντας στο συμπέρασμα ότι η Μηχανική Μάθηση μπορεί να χρησιμοποιηθεί για να σταματήσει τη συνεχιζόμενη απειλή των κυβερνοεπιθέσεων. Επιπλέον, η παρούσα διατριβή μελετά μια επίθεση code injection που εισήχθη πρόσφατα, η οποία ονομάζεται Server-side JavaScript Injection και προτείνει μια μεθοδολογία που έχει δημιουργηθεί επίσης ως εργαλείο λογισμικού που εντοπίζει και εκμεταλλεύεται αυτόματα ευπάθειες που σχετίζονται με τις επιθέσεις Server-side JavaScript Injection. Τέλος, αυτή η διατριβή έχει εντοπίσει διάφορες κατευθύνσεις για μελλοντική έρευνα που ελπίζουμε ότι θα διευκολύνουν τους ερευνητές στο μέλλον να δημιουργήσουν ισχυρές αμυντικές λύσεις και να αντιμετωπίσουν αποτελεσματικά εξελιγμένες κυβερνοεπιθέσεις.

show abstract

Defense Methods Against Adversarial Examples for Recurrent Neural Networks

Cited by 12 publications

References 24 publications

Repairing Adversarial Texts through Perturbation

Repairing Adversarial Texts through Perturbation

ARGAN: Adversarially Robust Generative Adversarial Networks for Deep Neural Networks Against Adversarial Examples

Implementing ai-driven methodologies for cyberattack detection

Contact Info

Product

Resources

About