Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels

Bo Ching Lin; Hwai Jung Hsu; Shih Kun Huang

doi:10.1109/COMPSAC48688.2020.000-3

Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels

Bo Ching Lin, Hwai Jung Hsu, Shih Kun Huang

Center for Information Technology Services

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

Convolutional neural networks (CNNs) are known to be vulnerable to adversarial attacks. Well-crafted perturbations to the inputs can mislead a state-of-the-art CNN to make wrong decisions. Therefore, there is a pressing need for the development of methods that can test or detect the vulnerability of CNNs. In this study, we propose an adversarial attack method, called Dual Iterative Fusion (DIF) with potential critical pixels, for CNN testing to reveal the vulnerability of CNNs. DIF modifies as few as 5 pixels out of 32x32 images in this study and achieves faster, less noticeable, and more targeted attacks to a CNN. Testing CNNs with DIF, we observed that some classes are more vulnerable than the others within many classical CNNs for image classification. In other words, some classes are susceptible to misclassification due to adversarial attacks. For example, in VGG19 trained with CIFAR10 data set, the vulnerable class is 'Cat'. The successfully-targeted attack rate of class 'Cat' in VGG19 is obviously higher than the others, 57.01% versus 25%. In the ResNet18, the vulnerable class is 'Plane', with a successfully-targeted attack rate of 37.08% while the other classes are lower than 12%. These classes should be considered as vulnerabilities in the CNNs, and are pinpointed by generating test images using DIF. The issues can be mitigated through retraining the CNNs with the adversarial images generated by DIF, and the misclassification rate of the vulnerable classes declines at most from 61.67% to 6.37% after the retraining.

Original language	English
Title of host publication	Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020
Editors	W. K. Chan, Bill Claycomb, Hiroki Takakura, Ji-Jiang Yang, Yuuichi Teranishi, Dave Towey, Sergio Segura, Hossain Shahriar, Sorel Reisman, Sheikh Iqbal Ahamed
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1743-1748
Number of pages	6
ISBN (Electronic)	9781728173030
DOIs	https://doi.org/10.1109/COMPSAC48688.2020.000-3
State	Published - Jul 2020
Event	44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020 - Virtual, Madrid, Spain Duration: 13 Jul 2020 → 17 Jul 2020

Publication series

Name	Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020

Conference

Conference	44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020
Country/Territory	Spain
City	Virtual, Madrid
Period	13/07/20 → 17/07/20

Keywords

Adversarial Attack
Convolutional Neural Network
Testing

Access to Document

10.1109/COMPSAC48688.2020.000-3

Cite this

Lin, B. C., Hsu, H. J., & Huang, S. K. (2020). Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels. In W. K. Chan, B. Claycomb, H. Takakura, J.-J. Yang, Y. Teranishi, D. Towey, S. Segura, H. Shahriar, S. Reisman, & S. I. Ahamed (Eds.), Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020 (pp. 1743-1748). Article 9202406 (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/COMPSAC48688.2020.000-3

Lin, Bo Ching ; Hsu, Hwai Jung ; Huang, Shih Kun. / Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels. Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020. editor / W. K. Chan ; Bill Claycomb ; Hiroki Takakura ; Ji-Jiang Yang ; Yuuichi Teranishi ; Dave Towey ; Sergio Segura ; Hossain Shahriar ; Sorel Reisman ; Sheikh Iqbal Ahamed. Institute of Electrical and Electronics Engineers Inc., 2020. pp. 1743-1748 (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020).

@inproceedings{fa09c122f5f94e94b9cfd7a95259b65e,

title = "Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels",

abstract = "Convolutional neural networks (CNNs) are known to be vulnerable to adversarial attacks. Well-crafted perturbations to the inputs can mislead a state-of-the-art CNN to make wrong decisions. Therefore, there is a pressing need for the development of methods that can test or detect the vulnerability of CNNs. In this study, we propose an adversarial attack method, called Dual Iterative Fusion (DIF) with potential critical pixels, for CNN testing to reveal the vulnerability of CNNs. DIF modifies as few as 5 pixels out of 32x32 images in this study and achieves faster, less noticeable, and more targeted attacks to a CNN. Testing CNNs with DIF, we observed that some classes are more vulnerable than the others within many classical CNNs for image classification. In other words, some classes are susceptible to misclassification due to adversarial attacks. For example, in VGG19 trained with CIFAR10 data set, the vulnerable class is 'Cat'. The successfully-targeted attack rate of class 'Cat' in VGG19 is obviously higher than the others, 57.01% versus 25%. In the ResNet18, the vulnerable class is 'Plane', with a successfully-targeted attack rate of 37.08% while the other classes are lower than 12%. These classes should be considered as vulnerabilities in the CNNs, and are pinpointed by generating test images using DIF. The issues can be mitigated through retraining the CNNs with the adversarial images generated by DIF, and the misclassification rate of the vulnerable classes declines at most from 61.67% to 6.37% after the retraining.",

keywords = "Adversarial Attack, Convolutional Neural Network, Testing",

author = "Lin, {Bo Ching} and Hsu, {Hwai Jung} and Huang, {Shih Kun}",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.; 44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020 ; Conference date: 13-07-2020 Through 17-07-2020",

year = "2020",

month = jul,

doi = "10.1109/COMPSAC48688.2020.000-3",

language = "English",

series = "Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1743--1748",

editor = "Chan, {W. K.} and Bill Claycomb and Hiroki Takakura and Ji-Jiang Yang and Yuuichi Teranishi and Dave Towey and Sergio Segura and Hossain Shahriar and Sorel Reisman and Ahamed, {Sheikh Iqbal}",

booktitle = "Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020",

address = "美國",

}

Lin, BC, Hsu, HJ & Huang, SK 2020, Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels. in WK Chan, B Claycomb, H Takakura, J-J Yang, Y Teranishi, D Towey, S Segura, H Shahriar, S Reisman & SI Ahamed (eds), Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020., 9202406, Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020, Institute of Electrical and Electronics Engineers Inc., pp. 1743-1748, 44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020, Virtual, Madrid, Spain, 13/07/20. https://doi.org/10.1109/COMPSAC48688.2020.000-3

Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels. / Lin, Bo Ching; Hsu, Hwai Jung; Huang, Shih Kun.
Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020. ed. / W. K. Chan; Bill Claycomb; Hiroki Takakura; Ji-Jiang Yang; Yuuichi Teranishi; Dave Towey; Sergio Segura; Hossain Shahriar; Sorel Reisman; Sheikh Iqbal Ahamed. Institute of Electrical and Electronics Engineers Inc., 2020. p. 1743-1748 9202406 (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels

AU - Lin, Bo Ching

AU - Hsu, Hwai Jung

AU - Huang, Shih Kun

PY - 2020/7

Y1 - 2020/7

N2 - Convolutional neural networks (CNNs) are known to be vulnerable to adversarial attacks. Well-crafted perturbations to the inputs can mislead a state-of-the-art CNN to make wrong decisions. Therefore, there is a pressing need for the development of methods that can test or detect the vulnerability of CNNs. In this study, we propose an adversarial attack method, called Dual Iterative Fusion (DIF) with potential critical pixels, for CNN testing to reveal the vulnerability of CNNs. DIF modifies as few as 5 pixels out of 32x32 images in this study and achieves faster, less noticeable, and more targeted attacks to a CNN. Testing CNNs with DIF, we observed that some classes are more vulnerable than the others within many classical CNNs for image classification. In other words, some classes are susceptible to misclassification due to adversarial attacks. For example, in VGG19 trained with CIFAR10 data set, the vulnerable class is 'Cat'. The successfully-targeted attack rate of class 'Cat' in VGG19 is obviously higher than the others, 57.01% versus 25%. In the ResNet18, the vulnerable class is 'Plane', with a successfully-targeted attack rate of 37.08% while the other classes are lower than 12%. These classes should be considered as vulnerabilities in the CNNs, and are pinpointed by generating test images using DIF. The issues can be mitigated through retraining the CNNs with the adversarial images generated by DIF, and the misclassification rate of the vulnerable classes declines at most from 61.67% to 6.37% after the retraining.

AB - Convolutional neural networks (CNNs) are known to be vulnerable to adversarial attacks. Well-crafted perturbations to the inputs can mislead a state-of-the-art CNN to make wrong decisions. Therefore, there is a pressing need for the development of methods that can test or detect the vulnerability of CNNs. In this study, we propose an adversarial attack method, called Dual Iterative Fusion (DIF) with potential critical pixels, for CNN testing to reveal the vulnerability of CNNs. DIF modifies as few as 5 pixels out of 32x32 images in this study and achieves faster, less noticeable, and more targeted attacks to a CNN. Testing CNNs with DIF, we observed that some classes are more vulnerable than the others within many classical CNNs for image classification. In other words, some classes are susceptible to misclassification due to adversarial attacks. For example, in VGG19 trained with CIFAR10 data set, the vulnerable class is 'Cat'. The successfully-targeted attack rate of class 'Cat' in VGG19 is obviously higher than the others, 57.01% versus 25%. In the ResNet18, the vulnerable class is 'Plane', with a successfully-targeted attack rate of 37.08% while the other classes are lower than 12%. These classes should be considered as vulnerabilities in the CNNs, and are pinpointed by generating test images using DIF. The issues can be mitigated through retraining the CNNs with the adversarial images generated by DIF, and the misclassification rate of the vulnerable classes declines at most from 61.67% to 6.37% after the retraining.

KW - Adversarial Attack

KW - Convolutional Neural Network

KW - Testing

UR - http://www.scopus.com/inward/record.url?scp=85094161989&partnerID=8YFLogxK

U2 - 10.1109/COMPSAC48688.2020.000-3

DO - 10.1109/COMPSAC48688.2020.000-3

M3 - Conference contribution

AN - SCOPUS:85094161989

T3 - Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020

SP - 1743

EP - 1748

BT - Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020

A2 - Chan, W. K.

A2 - Claycomb, Bill

A2 - Takakura, Hiroki

A2 - Yang, Ji-Jiang

A2 - Teranishi, Yuuichi

A2 - Towey, Dave

A2 - Segura, Sergio

A2 - Shahriar, Hossain

A2 - Reisman, Sorel

A2 - Ahamed, Sheikh Iqbal

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020

Y2 - 13 July 2020 through 17 July 2020

ER -

Lin BC, Hsu HJ, Huang SK. Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels. In Chan WK, Claycomb B, Takakura H, Yang JJ, Teranishi Y, Towey D, Segura S, Shahriar H, Reisman S, Ahamed SI, editors, Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020. Institute of Electrical and Electronics Engineers Inc. 2020. p. 1743-1748. 9202406. (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020). doi: 10.1109/COMPSAC48688.2020.000-3

Testing Convolutional Neural Network using Adversarial Attacks on Potential Critical Pixels

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this