One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition

TOPAL, Ali Osman; CHITIC, Ioana Raluca; LEPREVOST, Franck

doi:10.1016/j.asoc.2023.110397

Article (Périodiques scientifiques)

One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition

TOPAL, Ali Osman; CHITIC, Ioana Raluca; LEPREVOST, Franck

2023 • In Applied Soft Computing, 143, p. 110397

Peer reviewed vérifié par ORBi

Permalien
https://hdl.handle.net/10993/55399

DOI
10.1016/j.asoc.2023.110397

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

1-s2.0-S1568494623004155-main.pdf

Postprint Éditeur (7.38 MB)

Télécharger

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

Adversarial attacks; Black-box attacks; Convolutional neural network; Evolutionary algorithm; Image classification

Résumé :

[en] Convolutional neural networks (CNNs) are widely used in computer vision, but can be deceived by carefully crafted adversarial images. In this paper, we propose an evolutionary algorithm (EA) based adversarial attack against CNNs trained on ImageNet. Our EA-based attack aims to generate adversarial images that not only achieve a high confidence probability of being classified into the target category (at least 75%), but also appear indistinguishable to the human eye in a black-box setting. These constraints are implemented to simulate a realistic adversarial attack scenario. Our attack has been thoroughly evaluated on 10 CNNs in various attack scenarios, including high-confidence targeted, good-enough targeted, and untargeted. Furthermore, we have compared our attack favorably against other well-known white-box and black-box attacks. The experimental results revealed that the proposed EA-based attack is superior or on par with its competitors in terms of the success rate and the visual quality of the adversarial images produced.

Centre de recherche :

ULHPC - University of Luxembourg: High Performance Computing

Disciplines :

Sciences informatiques

Auteur, co-auteur :

TOPAL, Ali Osman ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

CHITIC, Ioana Raluca ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

LEPREVOST, Franck ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition

Date de publication/diffusion :

11 mai 2023

Titre du périodique :

Applied Soft Computing

ISSN :

1568-4946

eISSN :

1872-9681

Maison d'édition :

Elsevier

Volume/Tome :

143

Pagination :

110397

Peer reviewed :

Peer reviewed vérifié par ORBi

Focus Area :

Computational Sciences

URL complémentaire :

https://www.sciencedirect.com/science/article/pii/S1568494623004155

Disponible sur ORBilu :

depuis le 22 juin 2023

Statistiques

Nombre de vues

227 (dont 10 Unilu)

Nombre de téléchargements

133 (dont 3 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

citations OpenAlex

Bibliographie

Touvron, H., Cord, M., Douze, M., Massa, F., Sablayrolles, A., Jégou, H., Training data-efficient image transformers & distillation through attention. International Conference on Machine Learning, 2021, PMLR, 10347–10357.
C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, Z. Wojna, Rethinking the Inception architecture for computer vision, in: 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR, 2016, pp. 2818–2826, URL https://ieeexplore.ieee.org/document/7780677.
G. Huang, Z. Liu, L. Van Der Maaten, K.Q. Weinberger, Densely connected convolutional networks, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2017, pp. 4700–4708.
Simonyan, K., Zisserman, A., Very deep convolutional networks for large-scale image recognition. 2014 arXiv preprint arXiv:1409.1556.
K. He, X. Zhang, S. Ren, J. Sun, Deep residual learning for image recognition, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.
LeCun, Y., Bottou, L., Bengio, Y., Haffner, P., Gradient-based learning applied to document recognition. Proc. IEEE 86:11 (1998), 2278–2324.
Wang, Z.J., Turko, R., Shaikh, O., Park, H., Das, N., Hohman, F., Kahng, M., Chau, D.H.P., CNN explainer: Learning convolutional neural networks with interactive visualization. IEEE Trans. Vis. Comput. Graphics 27:2 (2020), 1396–1406.
S. Thys, W. Van Ranst, T. Goedemé, Fooling automated surveillance cameras: adversarial patches to attack person detection, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, 2019.
Fawzi, A., Fawzi, H., Fawzi, O., Adversarial vulnerability for any classifier. Adv. Neural Inf. Process. Syst., 31, 2018.
Chitic, R., Topal, A.O., Leprévost, F., Evolutionary algorithm-based images, humanly indistinguishable and adversarial against convolutional neural networks: efficiency and filter robustness. IEEE Access 9 (2021), 160758–160778.
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., Fergus, R., Intriguing properties of neural networks. 2013 arXiv preprint arXiv:1312.6199.
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A., The limitations of deep learning in adversarial settings. 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 2016, IEEE, 372–387 URL https://ieeexplore.ieee.org/document/7467366.
Su, J., Vargas, D.V., Sakurai, K., One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. 23:5 (2019), 828–841.
Wu, J., Generating adversarial examples in the harsh conditions. 2020 CoRR abs/1908.11332. URL https://arxiv.org/abs/1908.11332.
Jere, M., Rossi, L., Hitaj, B., Ciocarlie, G., Boracchi, G., Koushanfar, F., Scratch that! An evolution-based adversarial attack against neural networks. 2019 CoRR abs/1912.02316. URL https://arxiv.org/abs/1912.02316.
Chitic, R., Leprévost, F., Bernard, N., Evolutionary algorithms deceive humans and machines at image classification: an extended proof of concept on two scenarios. J. Inf. Telecommun., 2020, 1–23.
Chitic, R., Bernard, N., Leprévost, F., A proof of concept to deceive humans and machines at image classification with evolutionary algorithms. Intelligent Information and Database Systems, 12th Asian Conference, ACIIDS 2020 (Phuket, Thailand, March 23-26, 2020), 2020, Springer, Heidelberg, 467–480.
Deng, J., Dong, W., Socher, R., Li, L.-J., Li, K., Fei-Fei, L., The ImageNet image database. 2009 http://image-net.org.
Fezza, S.A., Bakhti, Y., Hamidouche, W., Déforges, O., Perceptual evaluation of adversarial attacks for CNN-based image classification. 2019 Eleventh International Conference on Quality of Multimedia Experience (QoMEX), 2019, IEEE, 1–6.
Carlini, N., Wagner, D., Towards evaluating the robustness of neural networks. 2017 IEEE Symposium on Security and Privacy (SP), 2017, IEEE, 39–57.
Wang, Z., Bovik, A., Sheikh, H., Simoncelli, E., Image quality assessment: from error visibility to structural similarity. IEEE Trans. Image Process., 13, 2004 URL https://ieeexplore.ieee.org/document/128439.
Eiben, A.E., Smith, J.E., Introduction to Evolutionary Computing. 2003, Springer URL https://www.springer.com/gp/book/9783642072857.
Bernard, N., Leprévost, F., Evolutionary algorithms for convolutional neural network visualisation. High Performance Computing – 5th Latin American Conference, CARLA 2018 (Bucaramanga, Colombia, Sep 23-28, 2018) Communications in Computer and Information Science, vol. 979, 2018, Springer, Heidelberg, 18–32.
Doerr, B., Runtime analysis of evolutionary algorithms via symmetry arguments. Inform. Process. Lett., 166, 2021, 106064.
Forrest, S., Mitchell, M., What makes a problem hard for a genetic algorithm? Some anomalous results and their explanation. Mach. Learn. 13:2 (1993), 285–319.
Varrette, S., Bouvry, P., Cartiaux, H., Georgatos, F., Management of an academic HPC cluster: The UL experience. Proceedings of the 2014 International Conference on High Performance Computing & Simulation (HPCS 2014), 2014, IEEE, 959–967.
Howard, A.G., Zhu, M., Chen, B., Kalenichenko, D., Wang, W., Weyand, T., Andreetto, M., Adam, H., Mobilenets: Efficient convolutional neural networks for mobile vision applications. 2017 arXiv preprint arXiv:1704.04861.
B. Zoph, V. Vasudevan, J. Shlens, Q.V. Le, Learning transferable architectures for scalable image recognition, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018, pp. 8697–8710.
Chollet, F., et al. Keras. 2015 https://keras.io.
Van Rossum, G., Drake, F.L., Python 3 Reference Manual. 2009, CreateSpace, Scotts Valley, CA.
Oliphant, T.E., A Guide to NumPy. 2006, Trelgol Publishing USA.
Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G.S., Davis, A., Dean, J., Devin, M., Ghemawat, S., Goodfellow, I., Harp, A., Irving, G., Isard, M., Jia, Y., Jozefowicz, R., Kaiser, L., Kudlur, M., Levenberg, J., Mané, D., Monga, R., Moore, S., Murray, D., Olah, C., Schuster, M., Shlens, J., Steiner, B., Sutskever, I., Talwar, K., Tucker, P., Vanhoucke, V., Vasudevan, V., Viégas, F., Vinyals, O., Warden, P., Wattenberg, M., Wicke, M., Yu, Y., Zheng, X., TensorFlow: Large-scale machine learning on heterogeneous systems. 2015 URL https://www.tensorflow.org/. Software available from tensorflow.org.
Van der Walt, S., Schönberger, J.L., Nunez-Iglesias, J., Boulogne, F., Warner, J.D., Yager, N., Gouillart, E., Yu, T., the scikit-image contributors, J., Scikit-image: image processing in python. PeerJ, 2, 2014, e453, 10.7717/peerj.453.
Goodfellow, I.J., Shlens, J., Szegedy, C., Explaining and harnessing adversarial examples. 2015 CoRR abs/1810.00069. arXiv:1412.6572. URL http://arxiv.org/abs/1412.6572.
Kurakin, A., Goodfellow, I.J., Bengio, S., Adversarial examples in the physical world. 2016 CoRR abs/1607.02533. arXiv:1607.02533. URL http://arxiv.org/abs/1607.02533.
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A., Towards deep learning models resistant to adversarial attacks. 2019 CoRR arXiv:1706.06083. URL http://arxiv.org/abs/1706.06083.
Guo, C., Gardner, J., You, Y., Wilson, A.G., Weinberger, K., Simple black-box adversarial attacks. International Conference on Machine Learning, 2019, PMLR, 2484–2493.
Xiao, C., Li, B., Zhu, J.-Y., He, W., Liu, M., Song, D., Generating adversarial examples with adversarial networks. 2018 arXiv preprint arXiv:1801.02610.
Nicolae, M., Sinn, M., Minh, T.N., Rawat, A., Wistuba, M., Zantedeschi, V., Molloy, I.M., Edwards, B., Adversarial robustness toolbox v1.0.0. 2018 CoRR abs/1807.01069. URL http://arxiv.org/abs/1807.01069.
Targonski, C., Tensorflow implementation of generating adversarial examples with adversarial networks. 2019 URL https://github.com/ctargon/AdvGAN-tf/.
Jain, N., Keras implementation of AdvGAN. 2019 URL https://github.com/niharikajainn/adv_gan_keras.