Document Type
Article
Publication Date
5-30-2024
Publication Title
IEEE Transactions on Information Forensics and Security
Volume
19
Pages
5985-5998
Publisher Name
IEEE
Abstract
In this paper, we present a novel Single-class target-specific Adversarial attack called SingleADV. The goal of SingleADV is to generate a universal perturbation that deceives the target model into confusing a specific category of objects with a target category while ensuring highly relevant and accurate interpretations. The universal perturbation is stochastically and iteratively optimized by minimizing the adversarial loss that is designed to consider both the classifier and interpreter costs in targeted and non-targeted categories. In this optimization framework, ruled by the first- and second-moment estimations, the desired loss surface promotes high confidence and interpretation score of adversarial samples. By avoiding unintended misclassification of samples from other categories, SingleADV enables more effective targeted attacks on interpretable deep learning systems in both white-box and black-box scenarios. To evaluate the effectiveness of SingleADV, we conduct experiments using four different model architectures (ResNet-50, VGG-16, DenseNet-169, and Inception-V3) coupled with three interpretation models (CAM, Grad, and MASK). Through extensive empirical evaluation, we demonstrate that SingleADV effectively deceives the target deep learning models and their associated interpreters under various conditions and settings. Our experimental results show that the performance of SingleADV is effective, with an average fooling ratio of 0.74 and an adversarial confidence level of 0.78 in generating deceptive adversarial samples. Furthermore, we discuss several countermeasures against SingleADV, including a transfer-based learning approach and existing preprocessing defenses.
Recommended Citation
Abdukhamidov, E., Abuhamad, M., Thiruvathukal, G.K., Kim, H., & Abuhmed, T. (2023). "SingleADV: Single-Class Target-Specific Attack against Interpretable Deep Learning Systems". IEEE Transactions on Information Forensics and Security, 10.1109/TIFS.2024.3407652
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Copyright Statement
IEEE seeks to maximize the rights of its authors and their employers to post the peer-reviewed accepted manuscript of an article on the author's personal web site or on a server operated by the author's employer. Additionally, IEEE allows its authors to follow mandates of agencies that fund the author's research by posting the peer-reviewed accepted manuscript versions of their articles in the agencies' publicly accessible repositories. No third party (other than authors and employers) may post IEEE-copyrighted material without obtaining the necessary licenses or permissions from the IEEE Intellectual Property Rights Office or other authorized representatives of the IEEE.
Comments
Author Posting © The Authors, 2024. This is an open access article that has been accepted for publication at IEEE Transactions on Information Forensics and Security.