FAdeML: Understanding the Impact of Pre-Processing Noise Filtering on Adversarial Machine Learning

Khalid, Faiq; Hanif, Muhammad Abdullah; Rehman, Semeen; Qadir, Junaid; Shafique, Muhammad

doi:10.23919/date.2019.8715141

Cited by 33 publications

(32 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Different pre-processing techniques can elude the effectiveness of adversarial attacks. Simple pre-processing filters [304] completely alter the functionality of the attack. Randomized smoothing [305] produces a Gaussian noise at the input to mitigate the effect of the adversarial perturbations on the inputs.…”

Section: B Adversarial Defensesmentioning

confidence: 99%

Hardware and Software Optimizations for Accelerating Deep Neural Networks: Survey of Current Trends, Challenges, and the Road Ahead

et al. 2020

Self Cite

View full text Add to dashboard Cite

Currently, Machine Learning (ML) is becoming ubiquitous in everyday life. Deep Learning (DL) is already present in many applications ranging from computer vision for medicine to autonomous driving of modern cars as well as other sectors in security, healthcare, and finance. However, to achieve impressive performance, these algorithms employ very deep networks, requiring a significant computational power, both during the training and inference time. A single inference of a DL model may require billions of multiply-and-accumulated operations, making the DL extremely compute-and energy-hungry. In a scenario where several sophisticated algorithms need to be executed with limited energy and low latency, the need for cost-effective hardware platforms capable of implementing energy-efficient DL execution arises. This paper first introduces the key properties of two brain-inspired models like Deep Neural Network (DNN), and Spiking Neural Network (SNN), and then analyzes techniques to produce efficient and high-performance designs. This work summarizes and compares the works for four leading platforms for the execution of algorithms such as CPU, GPU, FPGA and ASIC describing the main solutions of the state-of-the-art, giving much prominence to the last two solutions since they offer greater design flexibility and bear the potential of high energy-efficiency, especially for the inference process. In addition to hardware solutions, this paper discusses some of the important security issues that these DNN and SNN models may have during their execution, and offers a comprehensive section on benchmarking, explaining how to assess the quality of different networks and hardware systems designed for them.

show abstract

Section: B Adversarial Defensesmentioning

confidence: 99%

Hardware and Software Optimizations for Accelerating Deep Neural Networks: Survey of Current Trends, Challenges, and the Road Ahead

et al. 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…10: (a) An overview of the different security attacks and corresponding defense strategies for machine learning, especially DNNs. (b) An example of our training dataset-unaware imperceptible attack (e.g., TrISec [29]) and pre-processing based defense strategies (e.g., QuSecNets [30], FAdeML [31]).…”

Section: Machine Learning Securitymentioning

confidence: 99%

“…These defense strategies can be countered by using pruning or weight sensitivity analysis before adding the neural Trojans or before training it for backdoors [12]. Several defense strategies have been proposed to counter the adversarial attacks [77], e.g., DNN masking, gradient masking, adversarial learning, generative adversarial network based defense, data augmentation, and pre-process the input data (e.g., noise filtering [31], quantization [30]) to detect remove or make the adversarial noise perceptible. For example, recently, it has been studied that even low pass noise filtering at the input of the DNN can neutralize the adversarial examples if the attacker is unaware of it [31].…”

Section: B Defensesmentioning

confidence: 99%

“…Several defense strategies have been proposed to counter the adversarial attacks [77], e.g., DNN masking, gradient masking, adversarial learning, generative adversarial network based defense, data augmentation, and pre-process the input data (e.g., noise filtering [31], quantization [30]) to detect remove or make the adversarial noise perceptible. For example, recently, it has been studied that even low pass noise filtering at the input of the DNN can neutralize the adversarial examples if the attacker is unaware of it [31]. Note, all of these defense strategies can be countered by decision-based attacks which can estimate the DNN behavior even in masked DNNs under the black-box settings [1]- [3], [32].…”

Section: B Defensesmentioning

confidence: 99%

See 1 more Smart Citation

Deep Learning for Edge Computing: Current Trends, Cross-Layer Optimizations, and Open Research Challenges

Marchisio

Hanif

Khalid

et al. 2019

2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI)

Self Cite

View full text Add to dashboard Cite

In the Machine Learning era, Deep Neural Networks (DNNs) have taken the spotlight, due to their unmatchable performance in several applications, such as image processing, computer vision, and natural language processing. However, as DNNs grow in their complexity, their associated energy consumption becomes a challenging problem. Such challenge heightens for edge computing, where the computing devices are resource-constrained while operating on limited energy budget. Therefore, specialized optimizations for deep learning have to be performed at both software and hardware levels. In this paper, we comprehensively survey the current trends of such optimizations and discuss key open research mid-term and long-term challenges.

show abstract

“…Moreover, for most of these techniques, the noise pattern is visible and can be removed by inspection. 2) Inference Data Poisoning (IDP): This attack exploits the black-box model of the ML-modules to learn the noise patterns which can perform misclassification or confidence reduction [20] [21], [22]. However, these learned noise patterns can be visible [23] or imperceptible.…”

Section: A Security Threats In Dnn Modulesmentioning

confidence: 99%

TrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks

Khalid

Hanif

Rehman

et al. 2019

2019 IEEE 25th International Symposium on on-Line Testing and Robust System Design (IOLTS)

Self Cite

View full text Add to dashboard Cite

Most of the data manipulation attacks on deep neural networks (DNNs) during the training stage introduce a perceptible noise that can be catered by preprocessing during inference. Therefore, data poisoning attacks during inference (e.g., adversarial attacks) are becoming more popular. However, they do not consider the imperceptibility factor in their optimization algorithms, and can be detected by correlation and structural testing. Therefore, in this paper, we propose a novel methodology which automatically generates imperceptible attack images by using the back-propagation algorithm on pretrained DNNs. We present a case study on traffic sign detection using the VGGNet and the German Traffic Sign Recognition Benchmarks dataset in an autonomous driving use case. Our results demonstrate that the generated attack images successfully perform misclassification while remaining imperceptible in both "subjective" and "objective" quality tests.

show abstract

FAdeML: Understanding the Impact of Pre-Processing Noise Filtering on Adversarial Machine Learning

Cited by 33 publications

References 36 publications

Hardware and Software Optimizations for Accelerating Deep Neural Networks: Survey of Current Trends, Challenges, and the Road Ahead

Hardware and Software Optimizations for Accelerating Deep Neural Networks: Survey of Current Trends, Challenges, and the Road Ahead

Deep Learning for Edge Computing: Current Trends, Cross-Layer Optimizations, and Open Research Challenges

TrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks

Contact Info

Product

Resources

About