One Pixel Attack for Fooling Deep Neural Networks
@article{Su2019OnePA, title={One Pixel Attack for Fooling Deep Neural Networks}, author={Jiawei Su and Danilo Vasconcellos Vargas and Kouichi Sakurai}, journal={IEEE Transactions on Evolutionary Computation}, year={2019}, volume={23}, pages={828-841} }
Recent research has revealed that the output of deep neural networks (DNNs) can be easily altered by adding relatively small perturbations to the input vector. [] Key Method It requires less adversarial information (a black-box attack) and can fool more types of networks due to the inherent features of DE. The results show that 67.97% of the natural images in Kaggle CIFAR-10 test dataset and 16.04% of the ImageNet (ILSVRC 2012) test images can be perturbed to at least one target class by modifying just one…
Figures and Tables from this paper
1,278 Citations
One Sparse Perturbation to Fool them All, almost Always!
- Computer ScienceArXiv
- 2020
The proposed DEceit algorithm for constructing effective universal pixel-restricted perturbations using only black-box feedback from the target network achieves a commendable and highly transferable Fooling Rate while retaining the visual quality.
XGAN: adversarial attacks with GAN
- Computer ScienceOther Conferences
- 2019
A method of generating target images directly using GAN to achieve a method of attacking deep neural networks and achieves an 82% success rate on the black-box target attack on the cifar10 dataset and the MNIST dataset.
ABCAttack: A Gradient-Free Optimization Black-Box Attack for Fooling Deep Image Classifiers
- Computer ScienceEntropy
- 2022
The experimental results show that the proposed ABCAttack can not only obtain a high attack success rate with fewer queries in the black-box setting, but also break some existing defenses to a large extent, and is not limited by model structure or size, which provides further research directions for deep learning evasion attacks and defenses.
Evaluating and Improving Adversarial Attacks on DNN-Based Modulation Recognition
- Computer ScienceGLOBECOM 2020 - 2020 IEEE Global Communications Conference
- 2020
This study designs the Fitting Difference as a metric to measure the perturbed waveforms and proposes a new method: the Nesterov Adam Iterative Method to generate adversarial examples, which shows that the proposed algorithm not only exerts excellent white-box attacks but also can initiate attacks on a black-box model.
Exploring and Expanding the One-Pixel Attack
- Computer Science
- 2019
This work improves upon the original implementation of the attack by designing a fitness function to minimize the magnitude of the perturbation in addition to the network confidence, and explores the attack’s efficacy by comparing its performance in neural networks of different depths, and analyzing the technique by computing per-pixel heatmaps of vulnerabilities in input images.
A black-box adversarial attack strategy with adjustable sparsity and generalizability for deep image classifiers
- Computer SciencePattern Recognit.
- 2022
Towards Imperceptible Adversarial Image Patches Based on Network Explanations
- Computer ScienceArXiv
- 2020
A novel method to generate local region perturbations to find the contributing feature regions (CFRs) of images based on network explanations for perturbation, using a soft mask matrix to represent the CFRs for finely characterizing the contributions of each pixel.
Adversarial attack to fool object detector
- Computer Science
- 2020
This work proposes a simple and computationally efficient technique in terms of the average number of iterations that is, Plug-n-Play Adversarial Attack (PPAA) in which constrained uniform random noises are used to generate perturbations.
Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels
- Computer Science2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)
- 2020
An adversarial attack method, called Dual Iterative Fusion (DIF) with potential critical pixels, for CNN testing to reveal the vulnerability of CNNs, and observes that some classes are more vulnerable than the others within many classical CNNs for image classification.
Empirical Evaluation on Robustness of Deep Convolutional Neural Networks Activation Functions Against Adversarial Perturbation
- Computer Science2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW)
- 2018
It is shown that the choosing of activation functions can be an important factor that influences the robustness of DCNN and that comparing with sigmoid, the ReLu non-linearity is more vulnerable which allows the low dimensional one-pixel attack to exploit much higher success rate and confidence of launching the attack.
References
SHOWING 1-10 OF 73 REFERENCES
Detecting Adversarial Image Examples in Deep Neural Networks with Adaptive Noise Reduction
- Computer ScienceIEEE Transactions on Dependable and Secure Computing
- 2021
This paper proposes a straightforward method for detecting adversarial image examples, which can be directly deployed into unmodified off-the-shelf DNN models and raises the bar for defense-aware attacks.
Simple Black-Box Adversarial Attacks on Deep Neural Networks
- Computer Science2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW)
- 2017
This work focuses on deep convolutional neural networks and demonstrates that adversaries can easily craft adversarial examples even without any internal knowledge of the target network, and proposes schemes that could serve as a litmus test for designing robust networks.
Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks
- Computer ScienceNDSS
- 2018
Two feature squeezing methods are explored: reducing the color bit depth of each pixel and spatial smoothing, which are inexpensive and complementary to other defenses, and can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks.
Adversarial Perturbations Against Deep Neural Networks for Malware Classification
- Computer ScienceArXiv
- 2016
This paper shows how to construct highly-effective adversarial sample crafting attacks for neural networks used as malware classifiers, and evaluates to which extent potential defensive mechanisms against adversarial crafting can be leveraged to the setting of malware classification.
Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks
- Computer Science2016 IEEE Symposium on Security and Privacy (SP)
- 2016
The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN, and analytically investigates the generalizability and robustness properties granted by the use of defensive Distillation when training DNNs.
The Limitations of Deep Learning in Adversarial Settings
- Computer Science2016 IEEE European Symposium on Security and Privacy (EuroS&P)
- 2016
This work formalizes the space of adversaries against deep neural networks (DNNs) and introduces a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs.
Towards Evaluating the Robustness of Neural Networks
- Computer Science2017 IEEE Symposium on Security and Privacy (SP)
- 2017
It is demonstrated that defensive distillation does not significantly increase the robustness of neural networks, and three new attack algorithms are introduced that are successful on both distilled and undistilled neural networks with 100% probability are introduced.
Adversarial Diversity and Hard Positive Generation
- Computer Science2016 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW)
- 2016
A new psychometric perceptual adversarial similarity score (PASS) measure for quantifying adversarial images, the notion of hard positive generation is introduced, and a novel hot/cold approach for adversarial example generation is presented, which provides multiple possible adversarial perturbations for every single image.
Universal Adversarial Perturbations
- Computer Science2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)
- 2017
The surprising existence of universal perturbations reveals important geometric correlations among the high-dimensional decision boundary of classifiers and outlines potential security breaches with the existence of single directions in the input space that adversaries can possibly exploit to break a classifier on most natural images.
Adversarial Examples: Attacks and Defenses for Deep Learning
- Computer ScienceIEEE Transactions on Neural Networks and Learning Systems
- 2019
The methods for generating adversarial examples for DNNs are summarized, a taxonomy of these methods is proposed, and three major challenges in adversarialExamples are discussed and the potential solutions are discussed.