Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

Rapid Misclassification Sample Generation Attack on Deep Neural Network

딥뉴럴네트워크 상에 신속한 오인식 샘플 생성 공격

  • 권현 (육군사관학교 전자공학과) ;
  • 박상준 (육군사관학교 전자공학과) ;
  • 김용철 (육군사관학교 전자공학과)
  • Received : 2020.03.24
  • Accepted : 2020.06.22
  • Published : 2020.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Deep neural networks (DNNs) provide good performance for machine learning tasks such as image recognition and object recognition. However, DNNs are vulnerable to an adversarial example. An adversarial example is an attack sample that causes the neural network to recognize it incorrectly by adding minimal noise to the original sample. However, the disadvantage is that it takes a long time to generate such an adversarial example. Therefore, in some cases, an attack may be necessary that quickly causes the neural network to recognize it incorrectly. In this paper, we propose a fast misclassification sample that can rapidly attack neural networks. The proposed method does not consider the distortion of the original sample when adding noise. We used MNIST and CIFAR10 as experimental data and Tensorflow as a machine learning library. Experimental results show that the fast misclassification sample generated by the proposed method can be generated with 50% and 80% reduced number of iterations for MNIST and CIFAR10, respectively, compared to the conventional Carlini method, and has 100% attack rate.

딥뉴럴네트워크는 머신러닝 분야 중 이미지 인식, 사물 인식 등에 좋은 성능을 보여주고 있다. 그러나 딥뉴럴네트워크는 적대적 샘플(Adversarial example)에 취약점이 있다. 적대적 샘플은 원본 샘플에 최소한의 noise를 넣어서 딥뉴럴네트워크가 잘못 인식하게 하는 샘플이다. 그러나 이러한 적대적 샘플은 원본 샘플간의 최소한의 noise을 주면서 동시에 딥뉴럴네트워크가 잘못 인식하도록 하는 샘플을 생성하는 데 시간이 많이 걸린다는 단점이 있다. 따라서 어떠한 경우에 최소한의 noise가 아니더라도 신속하게 딥뉴럴네트워크가 잘못 인식하도록 하는 공격이 필요할 수 있다. 이 논문에서, 우리는 신속하게 딥뉴럴네트워크를 공격하는 것에 우선순위를 둔 신속한 오인식 샘플 생성 공격을 제안하고자 한다. 이 제안방법은 원본 샘플에 대한 왜곡을 고려하지 않고 딥뉴럴네트워크의 오인식에 중점을 둔 noise를 추가하는 방식이다. 따라서 이 방법은 기존방법과 달리 별도의 원본 샘플에 대한 왜곡을 고려하지 않기 때문에 기존방법보다 생성속도가 빠른 장점이 있다. 실험데이터로는 MNIST와 CIFAR10를 사용하였으며 머신러닝 라이브러리로 Tensorflow를 사용하였다. 실험결과에서, 제안한 오인식 샘플은 기존방법에 비해서 MNIST와 CIFAR10에서 각각 50%, 80% 감소된 반복횟수이면서 100% 공격률을 가진다.

Keywords

References

  1. J. Schmidhuber, ''Deep learning in neural networks: An overview,'' Neural Netw., vol. 61, pp. 85-117, Jan. 2015. https://doi.org/10.1016/j.neunet.2014.09.003
  2. K. Simonyan and A. Zisserman, ''Very deep convolutional networks for large-scale image recognition,'' in Proc. 3rd Int. Conf. Learn. Represent. (ICLR), San Diego, CA, USA, May 2015. [Online]. Available: http://arxiv.org/abs/1409.1556
  3. Sun, Xudong, Pengcheng Wu, and Steven CH Hoi. "Face detection using deep learning: An improved faster RCNN approach." Neurocomputing 299 (2018): 42-50. https://doi.org/10.1016/j.neucom.2018.03.030
  4. G. Hinton, L. Deng, D. Yu, G. E. Dahl, A.-R. M. N. Jaitly, A. Senior, V. Vanhoucke, P. Nguyen, T. N. Sainath, and B. Kingsbury, ''Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups,'' IEEE Signal Process. Mag., vol. 29, no. 6, pp. 82-97, Nov. 2012. https://doi.org/10.1109/MSP.2012.2205597
  5. C. Szegedy,W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, ''Intriguing properties of neural networks,'' in Proc. 2nd Int. Conf. Learn. Represent. (ICLR), Banff, AB, Canada, Apr. 2014.
  6. N. Carlini and D. Wagner, ''Towards evaluating the robustness of neural networks,'' in Proc. IEEE Symp. Secur. Privacy (SP), May 2017, pp. 39-57.
  7. Y. LeCun, C. Cortes, and C. J. Burges. (2010). Mnist Handwritten Digit Database. AT&T Labs. [Online]. Available: http://yann.lecun.com/exdb/mnist
  8. A. Krizhevsky, V. Nair, and G. Hinton. (2014). The Cifar-10 Dataset. http://www.cs.toronto.ed/kriz/cifar.html
  9. Barreno M, Nelson B, Joseph AD, Tygar J. The security of machine learning. Mach Learn 2010; 81(2):121-48. https://doi.org/10.1007/s10994-010-5188-5
  10. S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, ''DeepFool: A simple and accurate method to fool deep neural networks,'' in Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Jun. 2016, pp. 2574-2582.
  11. Y. Liu, X. Chen, C. Liu, and D. Song, ''Delving into transferable adversarial examples and black-box attacks,'' in Proc. 5th Int. Conf. Learn. Represent. (ICLR), Toulon, France, Apr. 2017.
  12. Kwon, Hyun, et al. "Advanced ensemble adversarial example on unknown deep neural network classifiers." IEICE TRANSACTIONS on Information and Systems 101.10 (2018):2485-2500. https://doi.org/10.1587/transinf.2018edp7073
  13. A. Kurakin, I. J. Goodfellow, and S. Bengio, ''Adversarial examples in the physical world,'' in Proc. 5th Int. Conf. Learn. Represent. (ICLR), Toulon, France, Apr. 2017.
  14. N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, ''The limitations of deep learning in adversarial settings,'' in Proc. IEEE Eur. Symp. Secur. Privacy (EuroS&P), Mar. 2016, pp. 372-387.
  15. Kwon, Hyun, et al. "Friend-safe evasion attack: An adversarial example that is correctly recognized by a friendly classifier." Computers & Security 78 (2018): 380-397. https://doi.org/10.1016/j.cose.2018.07.015
  16. Kwon, Hyun, et al, "Selective Audio Adversarial Example in Evasion Attack on Speech Recognition System ", IEEE Transactions on Information Forensics & Security, 2019. DOI:10.1109/TIFS.2019.2925452
  17. Kwon, Hyun, et al. "Multi-targeted adversarial example in evasion attack on deep neural network." IEEE Access 6 (2018): 46084-46096. https://doi.org/10.1109/access.2018.2866197
  18. Kwon, Hyun, et al. "Random untargeted adversarial example on deep neural network." Symmetry 10.12 (2018): 738. https://doi.org/10.3390/sym10120738
  19. Kwon, Hyun, et al. "Selective Untargeted Evasion Attack: An Adversarial Example That Will Not Be Classified as Certain Avoided Classes." IEEE Access 7 (2019):73493-73503. https://doi.org/10.1109/access.2019.2920410
  20. Su, Jiawei, Danilo Vasconcellos Vargas, and Kouichi Sakurai. "One pixel attack for fooling deep neural networks." IEEE Transactions on Evolutionary Computation (2019).
  21. Kwon, Hyun, Hyunsoo Yoon, and Daeseon Choi. "Restricted Evasion Attack: Generation of Restricted-Area Adversarial Example." IEEE Access 7 (2019): 60908-60919. https://doi.org/10.1109/access.2019.2915971
  22. M. Abadi, P. Barham, J. Chen, Z. Chen, A. Davis, J. Dean, M. Devin, S. Ghemawat, G. Irving, and M. Isard, ''TensorFlow: A system for largescale machine learning,'' in Proc. OSDI, vol. 16, 2016, pp. 265-283
  23. Y. LeCun, L. Bottou, Y. Bengio, and P. Haffner, ''Gradient-based learning applied to document recognition,'' Proc. IEEE, vol. 86, no. 11, pp. 2278-2324, Nov. 1998. https://doi.org/10.1109/5.726791
  24. I. Goodfellow, J. Shlens, and C. Szegedy, "Expl aining and harnessing adver sarial examples," in International Conference on Learning Repres entations, 2015.
  25. N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, "Distillation as a defense to advers arial perturbations against deep neural networks," in Security and Privacy (SP), 2016 IEEE Symposium on, pp. 582-597, IEEE, 2016.
  26. A. Fawzi, O. Fawzi, and P. Frossard, "Analysi s of classifiers' robustness to aversarial pertur bations," Machine Learning, pp. 1-28, 2015.
  27. Jin, Guoqing, et al. "APE-GAN: Adversarial pe rturbation elimination with GAN." ICASSP 20 19-2019 IEEE International Conference on Aco ustics, Speech and Signal Processing (ICASS P). IEEE, 2019.