Deflecting Adversarial Attacks with Pixel Deflection

Prakash, Aaditya; Moran, Nick; Garber, Solomon; DiLillo, Antonella; Storer, James A.

doi:10.1109/cvpr.2018.00894

Cited by 243 publications

(186 citation statements)

References 29 publications

Supporting

Mentioning

184

Contrasting

Order By: Relevance

“…where the only difference between {B k l } L l=1 and {B k−1 l } L l=1 are the bits flipped in Eq. (10). Note that, those bits flipped tob k l in Eq.…”

Section: Progressive Bit Searchmentioning

confidence: 99%

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Rakin

Fan

2019

2019 IEEE/CVF International Conference on Computer Vision (ICCV)

132

View full text Add to dashboard Cite

Several important security issues of Deep Neural Network (DNN) have been raised recently associated with different applications and components. The most widely investigated security concern of DNN is from its malicious input, a.k.a adversarial example. Nevertheless, the security challenge of DNN's parameters is not well explored yet. In this work, we are the first to propose a novel DNN weight attack methodology called Bit-Flip Attack (BFA) which can crush a neural network through maliciously flipping extremely small amount of bits within its weight storage memory system (i.e., DRAM). The bit-flip operations could be conducted through well-known Row-Hammer attack, while our main contribution is to develop an algorithm to identify the most vulnerable bits of DNN weight parameters (stored in memory as binary bits), that could maximize the accuracy degradation with a minimum number of bit-flips. Our proposed BFA utilizes a Progressive Bit Search (PBS) method which combines gradient ranking and progressive search to identify the most vulnerable bit to be flipped. With the aid of PBS, we can successfully attack a ResNet-18 fully malfunction (i.e., top-1 accuracy degrade from 69.8% to 0.1%) only through 13 bit-flips out of 93 million bits, while randomly flipping 100 bits merely degrades the accuracy by less than 1%.

show abstract

“…where the only difference between {B k l } L l=1 and {B k−1 l } L l=1 are the bits flipped in Eq. (10). Note that, those bits flipped tob k l in Eq.…”

Section: Progressive Bit Searchmentioning

confidence: 99%

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Rakin

Fan

2019

2019 IEEE/CVF International Conference on Computer Vision (ICCV)

132

View full text Add to dashboard Cite

show abstract

“…A foveation based method was proposed by Luo et al [32], which shows robustness against weak attacks like L-BFGS [13] and FGSM [14]. Another closely related work to ours is that of Prakash et al [26], which deflects attention by carefully corrupting less critical image pixels. This introduces new artifacts which reduce the image quality and can result in misclassification.…”

Section: Adversarial Defensesmentioning

confidence: 96%

“…To handle such artifacts, BayesShrink denoising in the wavelet domain is used. It has been shown that denoising in the wavelet domain yields superior performance than other techniques such as bilateral, an-isotropic, TVM and Wiener-Hunt deconvolution [26]. Another closely related work is that of Xie et al [18], which performs image transformations by randomly re-sizing and padding an image before passing it through a CNN classifier.…”

Section: Adversarial Defensesmentioning

confidence: 99%

Image Super-Resolution as a Defense Against Adversarial Attacks

Mustafa

Khan

Hayat

et al. 2020

IEEE Trans. on Image Process.

110

View full text Add to dashboard Cite

Convolutional Neural Networks have achieved significant success across multiple computer vision tasks. However, they are vulnerable to carefully crafted, human-imperceptible adversarial noise patterns which constrain their deployment in critical security-sensitive systems. This paper proposes a computationally efficient image enhancement approach that provides a strong defense mechanism to effectively mitigate the effect of such adversarial perturbations. We show that deep image restoration networks learn mapping functions that can bring off-the-manifold adversarial samples onto the natural image manifold, thus restoring classification towards correct classes. A distinguishing feature of our approach is that, in addition to providing robustness against attacks, it simultaneously enhances image quality and retains models performance on clean images. Furthermore, the proposed method does not modify the classifier or requires a separate mechanism to detect adversarial images. The effectiveness of the scheme has been demonstrated through extensive experiments, where it has proven a strong defense in gray-box settings. The proposed scheme is simple and has the following advantages: (1) it does not require any model training or parameter optimization, (2) it complements other existing defense mechanisms, (3) it is agnostic to the attacked model and attack type and (4) it provides superior performance across all popular attack algorithms. Our codes are publicly available at https:// github.com/aamir-mustafa/super-resolution-adversarial-defense.

show abstract

“…Pixel Deflection [23]: A random pixel is replaced by another random pixel in a local neighborhood. It works well due to the assumption that adversarial attacks rely on specific activation functions, i.e., only some pixels are manipulated to make the attack work.…”

Section: Adversarial Attacks and Defensesmentioning

confidence: 99%

Robustness of Saak Transform Against Adversarial Attacks

Ramanathan

Manimaran

You³

et al. 2019

2019 IEEE International Conference on Image Processing (ICIP)

View full text Add to dashboard Cite

Image classification is vulnerable to adversarial attacks. This work investigates the robustness of Saak transform against adversarial attacks towards high performance image classification. We develop a complete image classification system based on multi-stage Saak transform. In the Saak transform domain, clean and adversarial images demonstrate different distributions at different spectral dimensions. Selection of the spectral dimensions at every stage can be viewed as an automatic denoising process. Motivated by this observation, we carefully design strategies of feature extraction, representation and classification that increase adversarial robustness. The performances with well-known datasets and attacks are demonstrated by extensive experimental evaluations.

show abstract

Deflecting Adversarial Attacks with Pixel Deflection

Cited by 243 publications

References 29 publications

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Bit-Flip Attack: Crushing Neural Network With Progressive Bit Search

Image Super-Resolution as a Defense Against Adversarial Attacks

Robustness of Saak Transform Against Adversarial Attacks

Contact Info

Product

Resources

About