Visible to the public TrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks

TitleTrISec: Training Data-Unaware Imperceptible Security Attacks on Deep Neural Networks
Publication TypeConference Paper
Year of Publication2019
AuthorsKhalid, F., Hanif, M. A., Rehman, S., Ahmed, R., Shafique, M.
Conference Name2019 IEEE 25th International Symposium on On-Line Testing and Robust System Design (IOLTS)
Date PublishedJuly 2019
ISBN Number978-1-7281-2490-2
KeywordsAdversarial Machine Learning, AI Poisoning, Automation, Autonomous vehicles, convolutional neural nets, Correlation, data manipulation attacks, data poisoning attacks, Deep Neural Network, deep neural networks, DNNs, feature extraction, generated attack images, German Traffic Sign Recognition Benchmarks dataset, Human Behavior, image classification, Image coding, image recognition, imperceptibility factor, imperceptible attack images, Imperceptible Attack Noise, Inference algorithms, learning (artificial intelligence), machine learning, ML Security, multilevel security system, object detection, Object recognition, Optimization, Optimization algorithms, perceptible noise, pre-trained DNNs, pubcrawl, resilience, Resiliency, Scalability, security, security of data, structural similarity analysis, traffic sign detection, Training, training data-unaware imperceptible security attacks, training dataset

Most of the data manipulation attacks on deep neural networks (DNNs) during the training stage introduce a perceptible noise that can be catered by preprocessing during inference, or can be identified during the validation phase. There-fore, data poisoning attacks during inference (e.g., adversarial attacks) are becoming more popular. However, many of them do not consider the imperceptibility factor in their optimization algorithms, and can be detected by correlation and structural similarity analysis, or noticeable (e.g., by humans) in multi-level security system. Moreover, majority of the inference attack rely on some knowledge about the training dataset. In this paper, we propose a novel methodology which automatically generates imperceptible attack images by using the back-propagation algorithm on pre-trained DNNs, without requiring any information about the training dataset (i.e., completely training data-unaware). We present a case study on traffic sign detection using the VGGNet trained on the German Traffic Sign Recognition Benchmarks dataset in an autonomous driving use case. Our results demonstrate that the generated attack images successfully perform misclassification while remaining imperceptible in both "subjective" and "objective" quality tests.

Citation Keykhalid_trisec_2019