Time Traveling to Defend Against Adversarial Example Attacks in Image Classification
- URL: http://arxiv.org/abs/2410.08338v1
- Date: Thu, 10 Oct 2024 19:56:28 GMT
- Title: Time Traveling to Defend Against Adversarial Example Attacks in Image Classification
- Authors: Anthony Etim, Jakub Szefer,
- Abstract summary: Adversarial example attacks have emerged as a critical threat to machine learning.
Adversarial attacks in image classification abuse various, minor modifications to the image that confuse the image classification neural network.
This work introduces the notion of ''time traveling'' and uses historical Street View images accessible to anybody to perform inference on different, past versions of the same traffic sign.
- Score: 10.353892677735212
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Adversarial example attacks have emerged as a critical threat to machine learning. Adversarial attacks in image classification abuse various, minor modifications to the image that confuse the image classification neural network -- while the image still remains recognizable to humans. One important domain where the attacks have been applied is in the automotive setting with traffic sign classification. Researchers have demonstrated that adding stickers, shining light, or adding shadows are all different means to make machine learning inference algorithms mis-classify the traffic signs. This can cause potentially dangerous situations as a stop sign is recognized as a speed limit sign causing vehicles to ignore it and potentially leading to accidents. To address these attacks, this work focuses on enhancing defenses against such adversarial attacks. This work shifts the advantage to the user by introducing the idea of leveraging historical images and majority voting. While the attacker modifies a traffic sign that is currently being processed by the victim's machine learning inference, the victim can gain advantage by examining past images of the same traffic sign. This work introduces the notion of ''time traveling'' and uses historical Street View images accessible to anybody to perform inference on different, past versions of the same traffic sign. In the evaluation, the proposed defense has 100% effectiveness against latest adversarial example attack on traffic sign classification algorithm.
Related papers
- Secure Traffic Sign Recognition: An Attention-Enabled Universal Image Inpainting Mechanism against Light Patch Attacks [15.915892134535842]
Researchers recently identified a new attack vector to deceive sign recognition systems: projecting well-designed adversarial light patches onto traffic signs.
To effectively counter this security threat, we propose a universal image inpainting mechanism, namely, SafeSign.
It relies on attention-enabled multi-view image fusion to repair traffic signs contaminated by adversarial light patches.
arXiv Detail & Related papers (2024-09-06T08:58:21Z) - Invisible Optical Adversarial Stripes on Traffic Sign against Autonomous Vehicles [10.17957244747775]
This paper presents an attack that uses light-emitting diodes and exploits the camera's rolling shutter effect to mislead traffic sign recognition.
The attack is stealthy because the stripes on the traffic sign are invisible to human.
We discuss the countermeasures at the levels of camera sensor, perception model, and autonomous driving system.
arXiv Detail & Related papers (2024-07-10T09:55:31Z) - Adversary ML Resilience in Autonomous Driving Through Human Centered
Perception Mechanisms [0.0]
This paper explores the resilience of autonomous driving systems against three main physical adversarial attacks (tape, graffiti, illumination)
To build robustness against attacks, defense techniques like adversarial training and transfer learning were implemented.
Results demonstrated transfer learning models played a crucial role in performance by allowing knowledge gained from shape training to improve generalizability of road sign classification.
arXiv Detail & Related papers (2023-11-02T04:11:45Z) - Explainable and Trustworthy Traffic Sign Detection for Safe Autonomous
Driving: An Inductive Logic Programming Approach [0.0]
We propose an ILP-based approach for stop sign detection in Autonomous Vehicles.
It is more robust against adversarial attacks, as it mimics human-like perception.
It is able to correctly identify all targeted stop signs, even in the presence of PR2 and ADvCam attacks.
arXiv Detail & Related papers (2023-08-30T09:05:52Z) - Identification of Attack-Specific Signatures in Adversarial Examples [62.17639067715379]
We show that different attack algorithms produce adversarial examples which are distinct not only in their effectiveness but also in how they qualitatively affect their victims.
Our findings suggest that prospective adversarial attacks should be compared not only via their success rates at fooling models but also via deeper downstream effects they have on victims.
arXiv Detail & Related papers (2021-10-13T15:40:48Z) - Evaluating the Robustness of Semantic Segmentation for Autonomous
Driving against Real-World Adversarial Patch Attacks [62.87459235819762]
In a real-world scenario like autonomous driving, more attention should be devoted to real-world adversarial examples (RWAEs)
This paper presents an in-depth evaluation of the robustness of popular SS models by testing the effects of both digital and real-world adversarial patches.
arXiv Detail & Related papers (2021-08-13T11:49:09Z) - Resilience of Autonomous Vehicle Object Category Detection to Universal
Adversarial Perturbations [0.0]
We evaluate the impact of universal perturbations on object detection at a class-level.
We use Faster-RCNN object detector on images of five different categories: person, car, traffic light, truck, stop sign and traffic light.
Our results indicate that person, car, traffic light, truck and stop sign are resilient in that order (most to at least) to universal perturbations.
arXiv Detail & Related papers (2021-07-10T03:40:25Z) - Targeted Physical-World Attention Attack on Deep Learning Models in Road
Sign Recognition [79.50450766097686]
This paper proposes the targeted attention attack (TAA) method for real world road sign attack.
Experimental results validate that the TAA method improves the attack successful rate (nearly 10%) and reduces the perturbation loss (about a quarter) compared with the popular RP2 method.
arXiv Detail & Related papers (2020-10-09T02:31:34Z) - Online Alternate Generator against Adversarial Attacks [144.45529828523408]
Deep learning models are notoriously sensitive to adversarial examples which are synthesized by adding quasi-perceptible noises on real images.
We propose a portable defense method, online alternate generator, which does not need to access or modify the parameters of the target networks.
The proposed method works by online synthesizing another image from scratch for an input image, instead of removing or destroying adversarial noises.
arXiv Detail & Related papers (2020-09-17T07:11:16Z) - Deflecting Adversarial Attacks [94.85315681223702]
We present a new approach towards ending this cycle where we "deflect" adversarial attacks by causing the attacker to produce an input that resembles the attack's target class.
We first propose a stronger defense based on Capsule Networks that combines three detection mechanisms to achieve state-of-the-art detection performance.
arXiv Detail & Related papers (2020-02-18T06:59:13Z) - Over-the-Air Adversarial Flickering Attacks against Video Recognition
Networks [54.82488484053263]
Deep neural networks for video classification may be subjected to adversarial manipulation.
We present a manipulation scheme for fooling video classifiers by introducing a flickering temporal perturbation.
The attack was implemented on several target models and the transferability of the attack was demonstrated.
arXiv Detail & Related papers (2020-02-12T17:58:12Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.