Defensive dropout for hardening deep neural networks under adversarial attacks

Wang, Siyue; Wang, Xiao; Zhao, Pu; Wen, Wujie; Kaeli, David; Chin, Peter; Lin, Xue

doi:10.1145/3240765.3264699

Cited by 53 publications

(38 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Breaking the transferability of adversarial examples is a key challenge for the research community. Currently, defensive dropout [130] at test time is a promising defense. Adversarial example detection is also a useful area of research.…”

Section: Discussionmentioning

confidence: 99%

“…Functionality-preserving adversarial examples are an interesting avenue for further research. Adversarial Training [69] Distillation as defense [118] Feedback Alignment [119] Assessing Threat [120] Statistical Test [121] Detector SubNetwork [122] Artifacts [123] MagNet [124] Feature Squeezing [125] GAT [96] EAT [126] Defense-GAN [97] Assessing Threat [127] Stochastic Activation Pruning [128] DeepTest [129] DeepRoad [130] Defensive Dropout [130] Def-IDS [99] Multi-Classifier System [131] Weight Map Layers [132] Sequence Squeezing [105] Feature Removal [133] Adversarial Training [134] Adversarial Training [135] Game Theory [136] Hardening [137] Variational Auto-encoder [138] MANDA…”

Section: Adversarial Example Constraintsmentioning

confidence: 99%

“…It is particularly useful where there is limited training data and over-fitting is more likely to occur. Wang et al [130] propose hardening DNN using defensive dropout at test time. Unfortunately, there is inherently a trade-off between defensive dropout and test accuracy; however, a relatively small decrease in test accuracy can significantly reduce the success rate of attacks.…”

Section: Pre-processing As a Defense Against Adversarial Examplesmentioning

confidence: 99%

See 2 more Smart Citations

Functionality-preserving Adversarial Machine Learning For Robust Classification In Cybersecurity And Intrusion Detection Domains: A Survey

McCarthy¹,

Ghadafi²,

Andriotis³

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine learning has become widely adopted as a strategy for dealing with a variety of cybersecurity issues, ranging from insider threat detection to intrusion and malware detection. However, by their very nature, machine learning systems can introduce vulnerabilities to a security defence whereby a learnt model is unaware of so-called adversarial examples that may intentionally result in mis-classification and therefore bypass a system. Adversarial machine learning has been a research topic for over a decade and is now an accepted but open problem. Much of the early research on adversarial examples has addressed issues related to computer vision, yet as machine learning continues to be adopted in other domains, then likewise it is important to assess the potential vulnerabilities that may occur. A key part of transferring to new domains relates to functionality-preservation, such that any crafted attack can still execute the original intended functionality when inspected by a human and/or a machine. In this literature survey, our main objective is to address the domain of adversarial machine learning attacks and examine the robustness of machine learning models in the cybersecurity and intrusion detection domains. We identify the key trends in current work observed in the literature, and explore how these relate to the research challenges that remain open for future works. Inclusion criteria were: articles related to functionality-preservation in adversarial machine learning for cybersecurity or intrusion detection with insight into robust classification. Generally, we excluded works that are not yet peer-reviewed; however, the authors include some significant papers that make a clear contribution to the domain. There is a risk of subjective bias in the selection of non-peer reviewed articles; however, this is mitigated by co-author review. We selected the following databases with a sizeable computer science element to search and retrieve literature: IEEE Xplore, ACM Digital Library, ScienceDirect, Scopus, SpringerLink,Google Scholar. The literature search was conducted upto January 2022. We have striven to ensure a comprehensive coverage of the domain to the best of our knowledge. We have performed systematic searches of the literature, noting our search terms and results, and following up on all materials that appear relevant and fit within the topic domains of this review. This research was funded by the Partnership PhD scheme at the University of the West of England in collaboration with Techmodal Ltd.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Adversarial Example Constraintsmentioning

confidence: 99%

Section: Pre-processing As a Defense Against Adversarial Examplesmentioning

confidence: 99%

See 1 more Smart Citation

Functionality-preserving Adversarial Machine Learning For Robust Classification In Cybersecurity And Intrusion Detection Domains: A Survey

McCarthy¹,

Ghadafi²,

Andriotis³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Implemented under the L 0 , L 2 and L ∞ norm, the CW Attack [7] is the strongest attack in the literature [40], [44], [61]. It is based on L-BFGS [54] and can be targeted or untargeted.…”

Section: ) Carlini-wagner (Cw) Attackmentioning

confidence: 99%

Generating Adversarial Examples in One Shot With Image-to-Image Translation GAN

Zhang

2019

IEEE Access

View full text Add to dashboard Cite

Deep Neural Networks (DNNs) provide state-of-the-art results for most machine learning and computer vision tasks. However, they have been found susceptible to adversarial examples. In the recent literature, many ways of generating adversarial examples have been discovered. In this work, we propose a novel method to generate adversarial examples with generative adversarial networks (GANs). Compared to traditional optimisation-based methods, our method provides a fast yet powerful alternative for adversary generation. Unlike other GAN-based approaches in the literature which learn to generate an intermediate perturbation vector, our method generates adversarial examples from benign input images in a straightforward manner. By directly generating adversarial examples from given input images, our method produces perturbations that better align with the underlying edge and shape contained in the inputs, hence more natural-looking and imperceptible to human eyes. We evaluate our method on the MNIST and the CIFAR-10 dataset and demonstrate that it outperforms the state-of-the-art GAN-based attack AdvGAN with similar attack capability in terms of distortion. We show that our method produces competitive results to notable optimisation-based attacks in the literature including the strongest Carlini & Wagner (CW) attack. INDEX TERMSAdversarial examples, DNN attacks, generative adversarial networks (GANs).

show abstract

“…al. 2018;Madry et al 2017;Wang et al 2019;2018a;Xu et al 2019). This work mainly investigates the first category to build the groundwork towards developing potential defensive measures in reliable ML.…”

Section: Introductionmentioning

confidence: 99%

Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent

Zhao

Chen²,

Wang

et al. 2020

AAAI

Self Cite

View full text Add to dashboard Cite

Despite the great achievements of the modern deep neural networks (DNNs), the vulnerability/robustness of state-of-the-art DNNs raises security concerns in many application domains requiring high reliability. Various adversarial attacks are proposed to sabotage the learning performance of DNN models. Among those, the black-box adversarial attack methods have received special attentions owing to their practicality and simplicity. Black-box attacks usually prefer less queries in order to maintain stealthy and low costs. However, most of the current black-box attack methods adopt the first-order gradient descent method, which may come with certain deficiencies such as relatively slow convergence and high sensitivity to hyper-parameter settings. In this paper, we propose a zeroth-order natural gradient descent (ZO-NGD) method to design the adversarial attacks, which incorporates the zeroth-order gradient estimation technique catering to the black-box attack scenario and the second-order natural gradient descent to achieve higher query efficiency. The empirical evaluations on image classification datasets demonstrate that ZO-NGD can obtain significantly lower model query complexities compared with state-of-the-art attack methods.

show abstract

Defensive dropout for hardening deep neural networks under adversarial attacks

Cited by 53 publications

References 24 publications

Functionality-preserving Adversarial Machine Learning For Robust Classification In Cybersecurity And Intrusion Detection Domains: A Survey

Functionality-preserving Adversarial Machine Learning For Robust Classification In Cybersecurity And Intrusion Detection Domains: A Survey

Generating Adversarial Examples in One Shot With Image-to-Image Translation GAN

Towards Query-Efficient Black-Box Adversary with Zeroth-Order Natural Gradient Descent

Contact Info

Product

Resources

About