| Summary: | The widespread adoption of machine learning, especially Deep Neural Networks (DNNs) in daily life, causes great concern about its security property. Szegedy et al.'s study showed that DNNs are vulnerable to adversarial examples, which are images with small, deliberately designed perturbations. The perturbations are called adversarial signals in this thesis. Inspired by their study, researchers are investigating the risks of DNNs models under various adversarial attacks. Though many works have been done on DNN classification models, there are still some models needed to be studied comprehensively. In this thesis, we proposed adversarial attacks against three different types of architectures that have not been thoroughly examined by previous work.
Our first target models are object detectors. Most of the existing works focus on the security property of image classifiers. Only a small number of them concentrated on other widely utilized DNN models. Object detectors, such as Faster R-CNN and YOLO, have numerous applications, including in some critical systems, e.g., self-driving cars and unmanned aerial vehicles. Their vulnerabilities have to be studied thoroughly before deploying them in critical systems to avoid irrecoverable loss caused by intentional attacks. Researchers have proposed some methods to craft adversarial examples for studying security risk in object detectors. All these methods require modifying pixels inside the target objects. These methods are either inapplicable to the physical world or significantly distort the target objects. In this thesis, two new algorithms were proposed to generate adversarial signals that can successfully attack object detectors both digitally and physically without changing the target object itself. The first algorithm generates a type of adversarial signal named adversarial border, which can fool object detectors by being placed around the border of target objects. This is the first of its kind that does not change pixels within the target object. However, the generated adversarial border did make the target object look weird to humans. Therefore, a new type of adversarial signal, which looks like a signboard, generated by our second algorithm is proposed to make the attack more natural. By being placed below a target object, it can mislead the state-of-the-art object detectors. The experimental results show that they can effectively fool the target object detectors digitally and physically.
Our second target architecture is the non-local block. Current works usually study the risk of the entire model, while the risk of DNNs may be caused by a specific component. The introduction of non-local blocks to the traditional CNN architecture enhances its performance for various computer vision tasks by improving its capabilities of capturing long-range dependencies. However, the usage of non-local blocks may also introduce new threats to computer vision systems. Therefore, it is important to study the threats caused by non-local blocks before directly applying them to commercial systems. In this thesis, two new threats named disappearing attack (DA) and appearing attack (AA) against object detectors with a non-local block are investigated. DA aims at misleading an object detector with a non-local block to make it unable to detect a target object category while AA aims at misleading the object detector into detecting a predefined object category, which is not present in the images. Different from the existing attacks against object detectors, these attacks can be performed in long-range. The experiments show that the proposed attacks can mislead the detector with great probabilities. To explain the threats from non-local blocks, the reception fields of CNN models with and without non-local blocks are studied both empirically and theoretically.
Our third target architecture is IrisCode, a widely used iris recognition algorithm. Most of the existing works focus on studying the adversarial examples against DNNs models. However, there are still some widely applied algorithms not based on DNNs that need to be investigated thoroughly. IrisCode, the most influential iris recognition algorithm, has been extensively employed in national identity programs and border controls. It is vital to fully examine its security issues. How to generate iris images from its templates is one of such security issues. The existing generation methods synthesized low-quality images with obvious artifacts. Generalizing the definition of adversarial examples in deep learning, we derived a constrained convex minimization formulation to generate adversarial iris images. The experimental results demonstrate that the proposed algorithm can produce iris images, which can be matched with real iris images from a target eye and significantly outperform the previous methods in terms of visual quality.
|
|---|