SingleADV: Single-Class Target-Specific Attack Against Interpretable Deep Learning Systems

Authors

Eldor Abdukhamidov, Sung Kyun Kwan University
Mohammed Abuhamad, Loyola University ChicagoFollow
George K. Thiruvathukal, Loyola University ChicagoFollow
Hyoungshick Kim, Sung Kyun Kwan University
Tamer Abuhmed, Sung Kyun Kwan University

Document Type

Article

Publication Date

5-30-2024

Publication Title

IEEE Transactions on Information Forensics and Security

Volume

19

Pages

5985-5998

Publisher Name

IEEE

Abstract

In this paper, we present a novel Single-class target-specific Adversarial attack called SingleADV. The goal of SingleADV is to generate a universal perturbation that deceives the target model into confusing a specific category of objects with a target category while ensuring highly relevant and accurate interpretations. The universal perturbation is stochastically and iteratively optimized by minimizing the adversarial loss that is designed to consider both the classifier and interpreter costs in targeted and non-targeted categories. In this optimization framework, ruled by the first- and second-moment estimations, the desired loss surface promotes high confidence and interpretation score of adversarial samples. By avoiding unintended misclassification of samples from other categories, SingleADV enables more effective targeted attacks on interpretable deep learning systems in both white-box and black-box scenarios. To evaluate the effectiveness of SingleADV, we conduct experiments using four different model architectures (ResNet-50, VGG-16, DenseNet-169, and Inception-V3) coupled with three interpretation models (CAM, Grad, and MASK). Through extensive empirical evaluation, we demonstrate that SingleADV effectively deceives the target deep learning models and their associated interpreters under various conditions and settings. Our experimental results show that the performance of SingleADV is effective, with an average fooling ratio of 0.74 and an adversarial confidence level of 0.78 in generating deceptive adversarial samples. Furthermore, we discuss several countermeasures against SingleADV, including a transfer-based learning approach and existing preprocessing defenses.

Comments

Author Posting © The Authors, 2024. This is an open access article that has been accepted for publication at IEEE Transactions on Information Forensics and Security.

Recommended Citation

Abdukhamidov, E., Abuhamad, M., Thiruvathukal, G.K., Kim, H., & Abuhmed, T. (2023). "SingleADV: Single-Class Target-Specific Attack against Interpretable Deep Learning Systems". IEEE Transactions on Information Forensics and Security, 10.1109/TIFS.2024.3407652

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Copyright Statement

IEEE seeks to maximize the rights of its authors and their employers to post the peer-reviewed accepted manuscript of an article on the author's personal web site or on a server operated by the author's employer. Additionally, IEEE allows its authors to follow mandates of agencies that fund the author's research by posting the peer-reviewed accepted manuscript versions of their articles in the agencies' publicly accessible repositories. No third party (other than authors and employers) may post IEEE-copyrighted material without obtaining the necessary licenses or permissions from the IEEE Intellectual Property Rights Office or other authorized representatives of the IEEE.