A new method for countering evasion adversarial attacks on information systems based on artificial intelligence
Annotation
Modern artificial intelligence (AI) technologies are being used in a variety of fields, from science to everyday life. However, the widespread use of AI-based systems has highlighted a problem with their vulnerability to adversarial attacks. These attacks include methods of fooling or misleading an artificial neural network, disrupting its operations, and causing it to make incorrect predictions. This study focuses on protecting image recognition models against adversarial evasion attacks which have been recognized as the most challenging and dangerous. In these attacks, adversaries create adversarial data that contains minor perturbations compared to the original image, and then send it to a trained model in an attempt to change its response to the desired outcome. These distortions can involve adding noise or even changing a few pixels. In this paper, we consider the most relevant methods for generating adversarial data: the Fast Gradient Sign Method (FGSM), the Square Method (SQ), the predicted gradient descent method (PGD), the Basic Iterative Method (BIM), the Carlini-Wagner method (CW) and Jacobian Saliency Map Attack (JSMA). We also study modern techniques for defending against evasion attacks through model modification, such as adversarial training and pre-processing of incoming data, including spatial smoothing, feature squeezing, jpeg compression, minimizing total variance, and defensive distillation. While these methods are effective against certain types of attacks, to date, there is no single method that can be used as a universal defense. Instead, we propose a new method that combines adversarial learning with image pre-processing. We suggest that adversarial training should be performed on adversarial samples generated from common attack methods which can then be effectively defended against. The image preprocessing aims to counter attacks that were not considered during adversarial training. This allows to protect the system from new types of attacks. It is proposed to use jpeg compression and feature squeezing on the pre-processing stage. This reduces the impact of adversarial perturbations and effectively counteracts all types of considered attacks. The evaluation of image recognition model (based on convolutional neural network) performance metrics based was conducted. The experimental data included original images and adversarial images created using attack FGSM, PGD, BIM, SQ, CW, and JSMA methods. At the same time, adversarial training of the model was performed in experiments on data containing only adversarial examples for the FGSM, PGD, and BIM attack methods. Dataset used in experiments was balanced. The average accuracy of image recognition was estimated with crafted adversarial imaged datasets. It was concluded that adversarial training is effective only in countering attacks that were used during model training, while methods of pre-processing incoming data are effective only against more simple attacks. The average recognition accuracy using the developed method was 0.94, significantly higher than those considered methods for countering attacks. It has been shown that the accuracy without using any counteraction methods is approximately 0.19, while with adversarial learning it is 0.79. Spatial smoothing provides an accuracy of 0.58, and feature squeezing results in an accuracy of 0.88. Jpeg compression provides an accuracy of 0.37, total variance minimization — 0.58 and defensive distillation — 0.44. At the same time, image recognition accuracy provided by developed method for FGSM, PGD, BIM, SQ, CW, and JSMA attacks is 0.99, 0.99, 0.98, 0.98, 0.99 and 0.73, respectively. The developed method is a more universal solution for countering all types of attacks and works quite effectively against complex adversarial attacks such as CW and JSMA. The developed method makes it possible to increase accuracy of image recognition model for adversarial images. Unlike adversarial learning, it also increases recognition accuracy on adversarial data generated using attacks not used on training stage. The results are useful for researchers and practitioners in the field of machine learning.
Keywords
Постоянный URL
Articles in current issue
- Selection of parameters of optoelectronic systems for monitoring the wear for steam turbine rotor blading based on the value of the total error
- Modeling and analysis of fractal transformation of distorted images of the Earth’s surface obtained by optoelectronic surveillance systems
- Fast labeling pipeline approach for a huge aerial sensed dataset
- Adaptive suboptimal control problem and its variational solution
- Output control for a class of nonlinear systems based on dynamic linearization
- RuPersonaChat: a dialog corpus for personalizing conversational agents
- An optimized deep learning method for software defect prediction using Whale Optimization Algorithm
- Guarantee structural anomaly detection in streaming data using the RRCF model: selection of detector parameters and its stabilization under additive noise conditions
- ViSL One-shot: generating Vietnamese sign language data set
- Evaluation of probabilistic-temporal characteristics of a computer system with container virtualization
- A new method for countering evasion adversarial attacks on information systems based on artificial intelligence
- On the properties of M-estimators optimizing weighted L2-norm of the influence function
- Stability of a highly elastic rectangular plate with clamped-free edges under uniaxial compression
- Models and a deformations simulation approach using ANSYS CAD for railway wagons weighing system
- Application of lattice Boltzmann method to solution of viscous incompressible fluid dynamics problems
- From the construction of wavelets based on derivatives of the Gaussian function to the synthesis of filters with a finite impulse response
- Partition of unity method and smooth approximation
- Censoring training samples using regularization of connectivity relations of class objects
- Approach to software products development in a startup
- Modeling perceiving of recommendations provided by clinical decision support system based on predictive modeling within dental preventive screening