[go: up one dir, main page]
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
5.3
2.5
Journals
Applied Sciences
Special Issues
Adversarial Attacks and Cyber Security: Trends and Challenges
applsci-logo
Submit to Special Issue Submit Abstract to Special Issue Review for Applied Sciences Propose a Special Issue

Journal Menu

Journal Menu

Journal Browser

Journal Browser
share announcement

Adversarial Attacks and Cyber Security: Trends and Challenges

A special issue of Applied Sciences (ISSN 2076-3417). This special issue belongs to the section "Computing and Artificial Intelligence".

Deadline for manuscript submissions: 20 April 2025 | Viewed by 5983

Special Issue Editors

Dr. Weina Niu

E-Mail Website
Guest Editor
Institute for Cyber Security, School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China
Interests: software security; network security
Special Issues, Collections and Topics in MDPI journals
Prof. Dr. Song Li

E-Mail Website
Guest Editor
State Key Laboratory of Blockchain and Data Security, Zhejiang University, Hangzhou 310058, China
Interests: network security; system security; program analysis
Dr. Xin Liu

E-Mail Website
Guest Editor
School of Information Science and Engineering, Lanzhou University, Lanzhou 730000, China
Interests: program security; threat detection; AI security
Special Issues, Collections and Topics in MDPI journals

Special Issue Information

Dear Colleagues,

Security incidents, including adversarial attacks and vulnerabilities, have presented significant challenges to cyberspace security. To counter and defend against these threats, many researchers are leveraging cutting-edge technologies for automated and intelligent analysis as well as detection. Techniques such as information theory, graph theory, and artificial intelligence are extensively applied within security. Despite these advancements, the emergence of adversarial attacks and new security threats still leaves many unresolved problems, such as network attack detection, threat intelligence extraction, and the analysis of malicious behavior.

Therefore, this Special Issue intends to explore new approaches and perspectives on adversarial attacks and cyber security topics. This Special Issue will focus on (but is not limited to) the following topics:

  • Network attack intelligence detection;
  • Cyber threat intelligence and analysis;
  • System or mobile malware identification;
  • System or network attack attribution;
  • Vulnerability mining and analysis;
  • AI security and attack;
  • Data and privacy security;
  • Detection and evasion.

Dr. Weina Niu
Prof. Dr. Song Li
Dr. Xin Liu
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Applied Sciences is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2400 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • adversarial attacks
  • network security
  • system security
  • data security
  • AI security

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • e-Book format: Special Issues with more than 10 articles can be published as dedicated e-books, ensuring wide and rapid dissemination.

Further information on MDPI's Special Issue policies can be found here.

Published Papers (5 papers)

Download All Papers
Order results
Result details
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:

Research

26 pages, 19209 KiB  
Article
Image Segmentation Framework for Detecting Adversarial Attacks for Autonomous Driving Cars
by Ahmad Fakhr Aldeen Sattout, Ali Chehab, Ammar Mohanna and Razane Tajeddine
Appl. Sci. 2025, 15(3), 1328; https://doi.org/10.3390/app15031328 - 27 Jan 2025
Viewed by 661
Abstract
The widespread deployment of deep neural networks (DNNs) in critical real-time applications has spurred significant research into their security and robustness. A key vulnerability identified is that DNN decisions can be maliciously altered by introducing carefully crafted noise into the input data, leading [...] Read more.
The widespread deployment of deep neural networks (DNNs) in critical real-time applications has spurred significant research into their security and robustness. A key vulnerability identified is that DNN decisions can be maliciously altered by introducing carefully crafted noise into the input data, leading to erroneous predictions. This is known as an adversarial attack. In this paper, we propose a novel detection framework leveraging segmentation masks and image segmentation techniques to identify adversarial attacks on DNNs, particularly in the context of autonomous driving systems. Our defense technique considers two levels of adversarial detection. The first level mainly detects adversarial inputs with large perturbations using the U-net model and one-class support vector machine (SVM). The second level of defense proposes a dynamic segmentation algorithm based on the k-means algorithm and a verifier model that controls the final prediction of the input image. To evaluate our approach, we comprehensively compare our method to the state-of-the-art feature squeeze method under a white-box attack, using eleven distinct adversarial attacks across three benchmark and heterogeneous data sets. The experimental results demonstrate the efficacy of our framework, achieving overall detection rates exceeding 96% across all adversarial techniques and data sets studied. It is worth mentioning that our method enhances the detection rates of FGSM and BIM attacks, reaching average detection rates of 95.65% as opposed to 62.63% in feature squeezing across the three data sets. Full article
(This article belongs to the Special Issue Adversarial Attacks and Cyber Security: Trends and Challenges)
Show Figures

Figure 1

Figure 1
<p>The flow of creating dummy images. The first two columns, <math display="inline"><semantics> <msub> <mi>x</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>x</mi> <mn>2</mn> </msub> </semantics></math>, are clean random images from different classes. The third and fourth columns, <math display="inline"><semantics> <msub> <mi>s</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>s</mi> <mn>2</mn> </msub> </semantics></math>, are the intermediate transformations of <math display="inline"><semantics> <msub> <mi>x</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>x</mi> <mn>2</mn> </msub> </semantics></math>. The last column is the resultant dummy image generated by the DIG algorithm.</p> Full article ">Figure 2
<p>The proposed pipeline of the adversarial detection framework. The first line of defense starts with the U-net model and ends with the output prediction of the OCSVM model. The components of the second line of defense are the masking operation with KAS algorithm and the verifier model. The final decision of the pipeline for the input image is taken either immediately from the first line of defense or by comparing the predictions of the verifier model and the target (main) model.</p> Full article ">Figure 3
<p>This bar chart shows the Structure Similarity Index (SSIM) of the test set images for each class of the MNIST, CIFAR-10, and GTSRB-8 data sets before and after applying the KAS algorithm at <math display="inline"><semantics> <mrow> <mi>k</mi> <mo>=</mo> <mn>35</mn> <mo>%</mo> </mrow> </semantics></math>.</p> Full article ">Figure 4
<p>SSIM index of the test set images of all classes of MNIST, CIFAR-10, and GTSRB-8 data sets before and after k-means procedure at 10 values of <span class="html-italic">k</span>.</p> Full article ">Figure 5
<p>The detection rates of our proposed method as compared to the best feature squeezer for the FGSM attack on the GTSRB-8 data set with <math display="inline"><semantics> <mi>ε</mi> </semantics></math> values <math display="inline"><semantics> <mrow> <mn>0.01</mn> </mrow> </semantics></math> to <math display="inline"><semantics> <mrow> <mn>0.5</mn> </mrow> </semantics></math>. This figure shows the superiority of our method for all <math display="inline"><semantics> <mi>ε</mi> </semantics></math> values.</p> Full article ">Figure 6
<p>The flow of image processing steps in the proposed framework. The first line of each data set represents a clean sample of each class. The second line is the corresponding segmentation mask by the U-net model. The third and the fourth lines are the segmented and the inverted versions yielded by the KAS algorithm of the masked images.</p> Full article ">Figure 7
<p>Samples of distorted images from the GTSRB-8 data set that are omitted from the train and test sets in our experiments.</p> Full article ">Figure 8
<p>A visual comparison between clean images in the first row and their adversarial counterparts in the second row detected by the OCSVM model’s first line of defense in the adversarial detection framework. The third and the fourth rows are generated masks by the OCSVM for the clean and adversarial images, respectively.</p> Full article ">Figure 9
<p>A visual comparison between clean images in the first row and their adversarial counterparts in the second row detected by the second line of defense, the verifier model, in our adversarial detection framework. The third and fourth rows represent the segmented versions yielded by the KAS Algorithm 1 processing the clean and adversarial images, respectively. The last two rows are the inverted version.</p> Full article ">
18 pages, 3965 KiB  
Article
You Only Attack Once: Single-Step DeepFool Algorithm
by Jun Li, Yanwei Xu, Yaocun Hu, Yongyong Ma and Xin Yin
Appl. Sci. 2025, 15(1), 302; https://doi.org/10.3390/app15010302 - 31 Dec 2024
Viewed by 673
Abstract
Adversarial attacks expose the latent vulnerabilities within artificial intelligence systems, necessitating a reassessment and enhancement of model robustness to ensure the reliability and security of deep learning models against malicious attacks. We propose a fast method designed to efficiently find sample points close [...] Read more.
Adversarial attacks expose the latent vulnerabilities within artificial intelligence systems, necessitating a reassessment and enhancement of model robustness to ensure the reliability and security of deep learning models against malicious attacks. We propose a fast method designed to efficiently find sample points close to the decision boundary. By computing the gradient information of each class in the input samples and comparing these gradient differences with the true class, we can identify the target class most sensitive to the decision boundary, thus generating adversarial examples. This technique is referred to as the “You Only Attack Once” (YOAO) algorithm. Compared to the DeepFool algorithm, this method requires only a single iteration to achieve effective attack results. The experimental results demonstrate that the proposed algorithm outperforms the original approach in various scenarios, especially in resource-constrained environments. Under a single iteration, it achieves a 70.6% higher success rate of the attacks compared to the DeepFool algorithm. Our proposed method shows promise for widespread application in both offensive and defensive strategies for diverse deep learning models. We investigated the relationship between classifier accuracy and adversarial attack success rate, comparing the algorithm with others. Our experiments validated that the proposed algorithm exhibits higher attack success rates and efficiency. Furthermore, we performed data visualization on the ImageNet dataset, demonstrating that the proposed algorithm focuses more on attacking important features. Finally, we discussed the existing issues with the algorithm and outlined future research directions. Our code will be made public upon acceptance of the paper. Full article
(This article belongs to the Special Issue Adversarial Attacks and Cyber Security: Trends and Challenges)
Show Figures

Figure 1

Figure 1
<p>Disparity between the DeepFool algorithm and the algorithm introduced in this study. Initially, a sample is classified as belonging to the “automobile” class by the classifier. Following the creation of adversarial samples using both the DeepFool and YOAO algorithms, the resulting adversarial sample is misclassified as belonging to the “ship” class by the classifier. The upper subfigure illustrates the necessity for multiple iterations by the DeepFool algorithm to progressively approach the decision boundary and generate adversarial samples. In contrast, the lower subfigure presents the YOAO algorithm introduced in this study, which requires only a single iteration to effectively generate an adversarial sample. Clearly, the YOAO algorithm notably enhances computational efficiency and practical applicability.</p> Full article ">Figure 2
<p>Data space distribution. This figure illustrates the existence of adversarial examples. The red data points represent positive samples, the blue data points represent negative samples, and the green curve represents the decision boundary of the classifier. In the data distribution, the samples above the decision boundary are classified as positive, while those below are classified as negative. Upon examining the figure, we can observe the presence of some negative samples near the decision boundary, indicating samples where data points originally classified as negative are misclassified as positive by the classifier.</p> Full article ">Figure 3
<p>In this process, <math display="inline"><semantics> <msub> <mi>x</mi> <mn>0</mn> </msub> </semantics></math> denotes the original sample point, with the blue region representing the original class and the pink region indicating other classes. Sample poinSts <math display="inline"><semantics> <msub> <mi>x</mi> <mn>1</mn> </msub> </semantics></math> and <math display="inline"><semantics> <msub> <mi>x</mi> <mn>2</mn> </msub> </semantics></math> are situated in regions corresponding to classes other than the original sample class, and they represent samples from distinct classes. By identifying the decision boundary closest to the sample point as the direction for the proposed algorithmic iteration, we aim to expedite the generation of adversarial samples.</p> Full article ">Figure 4
<p>The impact of the maximum iteration parameter (max-iter) on the original DeepFool algorithm and the YOAO algorithm is illustrated in the four subfigures. (<b>a</b>,<b>b</b>) demonstrate the speed of generating a single adversarial sample at different maximum iteration values, while (<b>c</b>,<b>d</b>) show the success rate of the algorithm’s attacks under varying maximum iteration settings. In our experiments, we employed two classifiers, ResNet18 and VGG16.</p> Full article ">Figure 5
<p>The two subfigures explain the influence of the maximum iteration parameter (max_iter) on both the original DeepFool algorithm and the YOAO algorithm within a classifier with an accuracy of 95.45%. (<b>a</b>) delineates the success rate of generating adversarial samples across various max-iter values, while (<b>b</b>) portrays the velocity of producing individual adversarial samples at different max-iter settings.</p> Full article ">Figure 6
<p>There are two groups of images in the figure: the top three sets are relaxed by the DeepFool algorithm, while the bottom three sets are relaxed by the YOAO algorithm, demonstrating its perturbation effects on the CIFAR-10 dataset.</p> Full article ">Figure 7
<p>This figure illustrates the performance of the proposed algorithm on the ImageNet dataset. The three columns present distinct information: the left column displays the original images, the middle column showcases the adversarial samples generated by the YOAO algorithm, and the right column illustrates the differences between the adversarial samples and the original images.</p> Full article ">
18 pages, 1864 KiB  
Article
Dual-IoTID: A Session-Based Dual IoT Device Identification Model
by Tao Zeng, Ke Ye, Fang Lou, Yue Chang, Mingyong Yin and Teng Hu
Appl. Sci. 2024, 14(11), 4741; https://doi.org/10.3390/app14114741 - 30 May 2024
Viewed by 991
Abstract
The Internet of Things (IoT) is rapidly transforming our lives and work, enabling a wide range of emerging services and applications. However, as the scale of the IoT expands, its security issues are becoming increasingly prominent. Malicious actors can exploit vulnerabilities in IoT [...] Read more.
The Internet of Things (IoT) is rapidly transforming our lives and work, enabling a wide range of emerging services and applications. However, as the scale of the IoT expands, its security issues are becoming increasingly prominent. Malicious actors can exploit vulnerabilities in IoT devices to launch attacks. Protecting the IoT begins with device identification. Identified devices can have corresponding protective measures selected based on the information, thereby enhancing network security. In this study, we propose a dual-machine-learning-based IoT device identification algorithm, Dual-IoTID, which identifies devices based on the payload of IoT device sessions. In contrast to existing methods that rely on extracting header fields or network layer features, our approach attempts to obtain identification information from session payloads. Dual-IoTID first extracts frequent items from sessions and uses a first-layer classifier to obtain a confidence matrix for initial classification. Then, the confidence matrix, along with extracted session communication features, is fed into a second-layer classifier for IoT device identification. Our proposed method is applicable to any IoT device, and it is also suitable for networks with NAT enabled. Experimental results demonstrate that Dual-IoTID has higher accuracy than existing methods, achieving 99.48% accuracy in the UNSW dataset and accurately identifying IoT devices even in environments containing non-IoT devices. Full article
(This article belongs to the Special Issue Adversarial Attacks and Cyber Security: Trends and Challenges)
Show Figures

Figure 1

Figure 1
<p>Overall framework of Dual-IoTID contains four components. (<b>a</b>) traffic and session splitting; (<b>b</b>) Session communication feature extraction; (<b>c</b>) frequent item extraction and initial classification; and (<b>d</b>) Second Classification.</p> Full article ">Figure 2
<p>Sankey diagram of server port numbers used by different IoT devices. Depicting the top 7 most commonly used ports in TCP and UDP, respectively. (<b>a</b>) Withings Smart Baby Monitor. (<b>b</b>) Amazon Echo. (<b>c</b>) Belkin Wemo Motion Sensor. (<b>d</b>) Samsung SmartCam.</p> Full article ">Figure 3
<p>Confusion Matrix of the experiment without non-IoT device.</p> Full article ">Figure 4
<p>Confusion Matrix of the experiment with non-IoT device.</p> Full article ">
43 pages, 27802 KiB  
Article
The Noise Blowing-Up Strategy Creates High Quality High Resolution Adversarial Images against Convolutional Neural Networks
by Ali Osman Topal, Enea Mancellari, Franck Leprévost, Elmir Avdusinovic and Thomas Gillet
Appl. Sci. 2024, 14(8), 3493; https://doi.org/10.3390/app14083493 - 21 Apr 2024
Viewed by 1133
Abstract
Convolutional neural networks (CNNs) serve as powerful tools in computer vision tasks with extensive applications in daily life. However, they are susceptible to adversarial attacks. Still, attacks can be positive for at least two reasons. Firstly, revealing CNNs vulnerabilities prompts efforts to enhance [...] Read more.
Convolutional neural networks (CNNs) serve as powerful tools in computer vision tasks with extensive applications in daily life. However, they are susceptible to adversarial attacks. Still, attacks can be positive for at least two reasons. Firstly, revealing CNNs vulnerabilities prompts efforts to enhance their robustness. Secondly, adversarial images can also be employed to preserve privacy-sensitive information from CNN-based threat models aiming to extract such data from images. For such applications, the construction of high-resolution adversarial images is mandatory in practice. This paper firstly quantifies the speed, adversity, and visual quality challenges involved in the effective construction of high-resolution adversarial images, secondly provides the operational design of a new strategy, called here the noise blowing-up strategy, working for any attack, any scenario, any CNN, any clean image, thirdly validates the strategy via an extensive series of experiments. We performed experiments with 100 high-resolution clean images, exposing them to seven different attacks against 10 CNNs. Our method achieved an overall average success rate of 75% in the targeted scenario and 64% in the untargeted scenario. We revisited the failed cases: a slight modification of our method led to success rates larger than 98.9%. As of today, the noise blowing-up strategy is the first generic approach that successfully solves all three speed, adversity, and visual quality challenges, and therefore effectively constructs high-resolution adversarial images with high-quality requirements. Full article
(This article belongs to the Special Issue Adversarial Attacks and Cyber Security: Trends and Challenges)
Show Figures

Figure 1

Figure 1
<p>Standard attacks’ process, where <math display="inline"><semantics> <msub> <mi>c</mi> <mi>a</mi> </msub> </semantics></math> is the CNN’s leading category of the clean resized image, and <math display="inline"><semantics> <mrow> <mi>c</mi> <mo>≠</mo> <msub> <mi>c</mi> <mi>a</mi> </msub> </mrow> </semantics></math> is the CNN’s leading category of the adversarial image.</p> Full article ">Figure 2
<p>Direct attack process generating an adversarial image with the same size as the original clean image.</p> Full article ">Figure 3
<p>Examples of images for which the interpolation techniques cause more visual damage than the attacks themselves. Clean HR images <math display="inline"><semantics> <msubsup> <mrow> <mi mathvariant="script">A</mi> </mrow> <mi>a</mi> <mi>hr</mi> </msubsup> </semantics></math> in the 1st column; corresponding non-adversarial HR resized images <math display="inline"><semantics> <mrow> <mi>λ</mi> <mo>∘</mo> <mi>ρ</mi> <mo>(</mo> <msubsup> <mrow> <mi mathvariant="script">A</mi> </mrow> <mi>a</mi> <mi>hr</mi> </msubsup> <mo>)</mo> </mrow> </semantics></math> in the 2nd column, with values of <math display="inline"><semantics> <msubsup> <mi>L</mi> <mrow> <mi>p</mi> <mo>,</mo> <mi mathvariant="script">H</mi> </mrow> <mrow> <mi>n</mi> <mi>o</mi> <mi>r</mi> <mi>m</mi> <mo>,</mo> <mi>c</mi> <mi>l</mi> <mi>e</mi> <mi>a</mi> <mi>n</mi> </mrow> </msubsup> </semantics></math>, <math display="inline"><semantics> <mrow> <mi>p</mi> <mo>=</mo> <mn>0</mn> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mo>∞</mo> </mrow> </semantics></math> and <math display="inline"><semantics> <msubsup> <mi>FID</mi> <mrow> <mi mathvariant="script">H</mi> </mrow> <mrow> <mi>c</mi> <mi>l</mi> <mi>e</mi> <mi>a</mi> <mi>n</mi> </mrow> </msubsup> </semantics></math> underneath (in that order); adversarial HR images in the 3rd column (<math display="inline"><semantics> <mrow> <mi>a</mi> <mi>t</mi> <mi>k</mi> <mo>=</mo> </mrow> </semantics></math> EA, <math display="inline"><semantics> <mrow> <mi mathvariant="script">C</mi> <mo>=</mo> <msub> <mi mathvariant="script">C</mi> <mn>4</mn> </msub> </mrow> </semantics></math>, target scenario) and in the 4th column (<math display="inline"><semantics> <mrow> <mi>a</mi> <mi>t</mi> <mi>k</mi> <mo>=</mo> </mrow> </semantics></math> BIM, <math display="inline"><semantics> <mrow> <mi mathvariant="script">C</mi> <mo>=</mo> <msub> <mi mathvariant="script">C</mi> <mn>6</mn> </msub> </mrow> </semantics></math>, untarget scenario), with <math display="inline"><semantics> <msubsup> <mi>L</mi> <mrow> <mi>p</mi> <mo>,</mo> <mi mathvariant="script">H</mi> </mrow> <mrow> <mi>n</mi> <mi>o</mi> <mi>r</mi> <mi>m</mi> <mo>,</mo> <mi>a</mi> <mi>d</mi> <mi>v</mi> </mrow> </msubsup> </semantics></math>, <math display="inline"><semantics> <mrow> <mi>p</mi> <mo>=</mo> <mn>0</mn> <mo>,</mo> <mn>1</mn> <mo>,</mo> <mo>∞</mo> </mrow> </semantics></math>, and <math display="inline"><semantics> <msubsup> <mi>FID</mi> <mrow> <mi mathvariant="script">H</mi> </mrow> <mrow> <mi>a</mi> <mi>d</mi> <mi>v</mi> </mrow> </msubsup> </semantics></math> underneath (in that order). <span class="html-italic"><b>To enhance visibility, consider zooming in for a clearer view</b></span>.</p> Full article ">Figure 4
<p>Performance of the noise blowing-up method for EA in the untargeted scenario with the increased strength of adversarial images: (<b>a</b>) specifically for <math display="inline"><semantics> <msub> <mi mathvariant="script">C</mi> <mn>4</mn> </msub> </semantics></math>, (<b>b</b>) averaged across 10 CNNs, and (<b>c</b>) overall report for all CNNs. In (<b>a</b>,<b>b</b>), <math display="inline"><semantics> <msub> <mo>Δ</mo> <mi mathvariant="script">C</mi> </msub> </semantics></math> values are displayed at the bottom, and the resulting number of used images is at the top.</p> Full article ">Figure 5
<p>Performance of the noise blowing-up method for AdvGAN in the untargeted scenario with the increased strength of adversarial images: (<b>a</b>) specifically for <math display="inline"><semantics> <msub> <mi mathvariant="script">C</mi> <mn>4</mn> </msub> </semantics></math>, (<b>b</b>) averaged across 10 CNNs, and (<b>c</b>) overall report for all CNNs. In (<b>a</b>,<b>b</b>), <math display="inline"><semantics> <msub> <mo>Δ</mo> <mi mathvariant="script">C</mi> </msub> </semantics></math> values are displayed at the bottom, and the resulting number of used images is at the top.</p> Full article ">Figure 6
<p>Performance of the noise blowing-up method for AdvGAN in the target scenario with the increased strength of adversarial images: (<b>a</b>) specifically for <math display="inline"><semantics> <msub> <mi mathvariant="script">C</mi> <mn>4</mn> </msub> </semantics></math>, (<b>b</b>) averaged across 10 CNNs, and (<b>c</b>) overall report for all CNNs. In (<b>a</b>,<b>b</b>), <math display="inline"><semantics> <msub> <mo>Δ</mo> <mi mathvariant="script">C</mi> </msub> </semantics></math> values are displayed at the bottom, and the resulting number of used images is at the top.</p> Full article ">Figure 7
<p>Sample of HR adversarial images generated by the noise blowing-up strategy for the EA and AdvGAN attacks in the untargeted scenario, and the AdvGAN attack in the targeted scenario against <math display="inline"><semantics> <mrow> <msub> <mi mathvariant="script">C</mi> <mn>4</mn> </msub> <mo>=</mo> </mrow> </semantics></math> MobileNet, with <math display="inline"><semantics> <msub> <mo>Δ</mo> <mi mathvariant="script">C</mi> </msub> </semantics></math> set to 0.55 in the <math display="inline"><semantics> <mi mathvariant="script">R</mi> </semantics></math> domain. Classification (dominant category and label value) of <math display="inline"><semantics> <msub> <mi mathvariant="script">C</mi> <mn>4</mn> </msub> </semantics></math> are displayed at the bottom. (<b>a</b>) Clean image acorn: 0.90. (<b>b</b>) <math display="inline"><semantics> <msub> <mi>EA</mi> <mrow> <mi>u</mi> <mi>n</mi> <mi>t</mi> <mi>a</mi> <mi>r</mi> <mi>g</mi> </mrow> </msub> </semantics></math> snail: 0.61. (<b>c</b>) <math display="inline"><semantics> <msub> <mi>AdvGAN</mi> <mrow> <mi>u</mi> <mi>n</mi> <mi>t</mi> <mi>a</mi> <mi>r</mi> <mi>g</mi> </mrow> </msub> </semantics></math> dung_beetle: 0.55. (<b>d</b>) <math display="inline"><semantics> <msub> <mi>AdvGAN</mi> <mrow> <mi>t</mi> <mi>a</mi> <mi>r</mi> <mi>g</mi> </mrow> </msub> </semantics></math> rhinoceros_beetle: 0.43.</p> Full article ">Figure 8
<p>Visual comparison in the <math display="inline"><semantics> <mi mathvariant="script">H</mi> </semantics></math> domain of (<b>a</b>) the clean image <math display="inline"><semantics> <msubsup> <mrow> <mi mathvariant="script">A</mi> </mrow> <mn>1</mn> <mi>hr</mi> </msubsup> </semantics></math>, (<b>b</b>) its non-adversarial resized version, the adversarial image obtained with <math display="inline"><semantics> <msup> <mi>EA</mi> <mrow> <mi>target</mi> <mo>,</mo> <mi mathvariant="script">C</mi> </mrow> </msup> </semantics></math> for <math display="inline"><semantics> <mrow> <mi mathvariant="script">C</mi> <mo>=</mo> </mrow> </semantics></math> VGG-16, (<b>c</b>) by the lifting method of [<a href="#B29-applsci-14-03493" class="html-bibr">29</a>,<a href="#B30-applsci-14-03493" class="html-bibr">30</a>], and (<b>d</b>) by the noise blowing-up method. Both non-adversarial images are classified as “comic books”, (<b>a</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.49</mn> </mrow> </semantics></math> and (<b>b</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.45</mn> </mrow> </semantics></math>. Both HR adversarial images are classified as “altar”, (<b>c</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.52</mn> </mrow> </semantics></math>, and (<b>d</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.41</mn> </mrow> </semantics></math>.</p> Full article ">Figure 9
<p>Visual comparison in the <math display="inline"><semantics> <mi mathvariant="script">H</mi> </semantics></math> domain of (<b>a</b>) the clean image <math display="inline"><semantics> <msubsup> <mrow> <mi mathvariant="script">A</mi> </mrow> <mn>2</mn> <mi>hr</mi> </msubsup> </semantics></math>, (<b>b</b>) its non-adversarial resized version, the adversarial image obtained with <math display="inline"><semantics> <msup> <mi>EA</mi> <mrow> <mi>target</mi> <mo>,</mo> <mi mathvariant="script">C</mi> </mrow> </msup> </semantics></math> for <math display="inline"><semantics> <mrow> <mi mathvariant="script">C</mi> <mo>=</mo> </mrow> </semantics></math> VGG-16, (<b>c</b>) by the lifting method of [<a href="#B29-applsci-14-03493" class="html-bibr">29</a>,<a href="#B30-applsci-14-03493" class="html-bibr">30</a>], and (<b>d</b>) by the noise blowing-up method. Both non-adversarial images are classified as “Coffee Mug”, (<b>a</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.08</mn> </mrow> </semantics></math> and (<b>b</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.08</mn> </mrow> </semantics></math>. Both HR adversarial images are classified as “Hamper”, (<b>c</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.51</mn> </mrow> </semantics></math>, and (<b>d</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.53</mn> </mrow> </semantics></math>.</p> Full article ">Figure 10
<p>Visual comparison in the <math display="inline"><semantics> <mi mathvariant="script">H</mi> </semantics></math> domain of (<b>a</b>) the clean image <math display="inline"><semantics> <msubsup> <mrow> <mi mathvariant="script">A</mi> </mrow> <mn>3</mn> <mi>hr</mi> </msubsup> </semantics></math>, (<b>b</b>) its non-adversarial resized version, the adversarial image obtained with <math display="inline"><semantics> <msup> <mi>EA</mi> <mrow> <mi>target</mi> <mo>,</mo> <mi mathvariant="script">C</mi> </mrow> </msup> </semantics></math> for <math display="inline"><semantics> <mrow> <mi mathvariant="script">C</mi> <mo>=</mo> </mrow> </semantics></math> VGG-16, (<b>c</b>) by the lifting method of [<a href="#B29-applsci-14-03493" class="html-bibr">29</a>,<a href="#B30-applsci-14-03493" class="html-bibr">30</a>], and (<b>d</b>) by the noise blowing-up method. Both non-adversarial images are classified as “hippopotamus”, (<b>a</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.99</mn> </mrow> </semantics></math> and (<b>b</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.99</mn> </mrow> </semantics></math>. Both HR adversarial images are classified as “trifle”, (<b>c</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.51</mn> </mrow> </semantics></math>, and (<b>d</b>) with label value <math display="inline"><semantics> <mrow> <mn>0.50</mn> </mrow> </semantics></math>.</p> Full article ">Figure A1
<p>Representation of the 100 ancestor clean images <math display="inline"><semantics> <msubsup> <mi mathvariant="script">A</mi> <mi>q</mi> <mi>p</mi> </msubsup> </semantics></math> used in the experiments. <math display="inline"><semantics> <msubsup> <mi mathvariant="script">A</mi> <mi>q</mi> <mi>p</mi> </msubsup> </semantics></math> pictured in the <span class="html-italic">q</span>th row and <span class="html-italic">p</span>th column (<math display="inline"><semantics> <mrow> <mn>1</mn> <mo>≤</mo> <mi>p</mi> <mo>,</mo> <mi>q</mi> <mo>≤</mo> <mn>10</mn> </mrow> </semantics></math>) is randomly chosen from the ImageNet validation set of the ancestor category <math display="inline"><semantics> <msub> <mi>c</mi> <msub> <mi>a</mi> <mi>q</mi> </msub> </msub> </semantics></math> specified on the left of the <span class="html-italic">q</span>th row.</p> Full article ">Figure A2
<p>Evaluating the performance of the noise blowing-up method for <b>EA</b> in <b>untargeted</b> scenarios with the increased strength of adversarial images per each CNN. The charts display <math display="inline"><semantics> <mo>Δ</mo> </semantics></math> values at the bottom, along with the corresponding number of images used for the tests at the top.</p> Full article ">Figure A3
<p>Evaluating the performance of the noise blowing-up method for <b>AdvGAN</b> in <b>untargeted</b> scenarios with the increased strength of adversarial images per each CNN. The charts display <math display="inline"><semantics> <mo>Δ</mo> </semantics></math> values at the bottom, along with the corresponding number of images used for the tests at the top.</p> Full article ">Figure A4
<p>Evaluating the performance of the noise blowing-up method for <b>AdvGAN</b> in <b>target</b> scenarios with the increased strength of adversarial images per each CNN. The charts display <math display="inline"><semantics> <mo>Δ</mo> </semantics></math> values at the bottom, along with the corresponding number of images used for the tests at the top.</p> Full article ">
17 pages, 3142 KiB  
Article
Segment Shards: Cross-Prompt Adversarial Attacks against the Segment Anything Model
by Shize Huang, Qianhui Fan, Zhaoxin Zhang, Xiaowen Liu, Guanqun Song and Jinzhe Qin
Appl. Sci. 2024, 14(8), 3312; https://doi.org/10.3390/app14083312 - 15 Apr 2024
Viewed by 1434
Abstract
Foundation models play an increasingly pivotal role in the field of deep neural networks. Given that deep neural networks are widely used in real-world systems and are generally susceptible to adversarial attacks, securing foundation models becomes a key research issue. However, research on [...] Read more.
Foundation models play an increasingly pivotal role in the field of deep neural networks. Given that deep neural networks are widely used in real-world systems and are generally susceptible to adversarial attacks, securing foundation models becomes a key research issue. However, research on adversarial attacks against the Segment Anything Model (SAM), a visual foundation model, is still in its infancy. In this paper, we propose the prompt batch attack (PBA), which can effectively attack SAM, making it unable to capture valid objects or even generate fake shards. Extensive experiments were conducted to compare the adversarial attack performance among optimizing without prompts, optimizing all prompts, and optimizing batches of prompts as in PBA. Numerical results on multiple datasets show that the cross-prompt attack success rate (ASR) of the PBA method is 17.83% higher on average, and the attack success rate (ASR) is 20.84% higher. It is proven that PBA possesses the best attack capability as well as the highest cross-prompt transferability. Additionally, we introduce a metric to evaluate the cross-prompt transferability of adversarial attacks, effectively fostering research on cross-prompt attacks. Our work unveils the pivotal role of the batched prompts technique in cross-prompt adversarial attacks, marking an early and intriguing exploration into this area against SAM. Full article
(This article belongs to the Special Issue Adversarial Attacks and Cyber Security: Trends and Challenges)
Show Figures

Figure 1

Figure 1
<p>Cross-prompt adversarial attack. The <math display="inline"><semantics> <mrow> <mi>A</mi> <mi>S</mi> <mi>R</mi> </mrow> </semantics></math> denotes the attack success rate and the <math display="inline"><semantics> <mrow> <mi>A</mi> <mi>S</mi> <mi>R</mi> </mrow> </semantics></math><sup>∗</sup> denotes the cross-prompt attack success rate.</p> Full article ">Figure 2
<p>The three different algorithms (NPA, PA, PBA) aim to generate adversarial examples for attacking the SAM in a white-box setting.</p> Full article ">Figure 3
<p>Illustration of the comparison of the algorithms.</p> Full article ">Figure 4
<p>Adversarial examples with segmentation mask results of SAM. The text above illustrates the source of the images below it. The text below the images indicates the prompt setting (either Pts8, Pts16, or Pts20) used to generate the segmentation results on those images.</p> Full article ">Figure 5
<p>Comparative analysis of mIoU, ASR, and SSIM across attack iterations and methods. To ensure consistency in the actual number of image updates, for both PA and NPA methods, the number of attack iterations is four times the number shown in the horizontal coordinate in this figure.</p> Full article ">Figure 6
<p>Illustration of the relationship between mIoU and SSIM under the PBA and PA methods. The dataset utilized in this experiment is CBCL300, with the range of variation for the maximum perturbation value, <math display="inline"><semantics> <mi>μ</mi> </semantics></math>, ranging from 0.05 to 0.35.</p> Full article ">
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
 
Displaying articles 1-5
Back to TopTop