Adversarial ink: componentwise backward error attacks on deep learning

IF 1.4 4区数学 Q2 MATHEMATICS, APPLIED

IMA Journal of Applied Mathematics Pub Date : 2023-06-28 DOI:10.1093/imamat/hxad017

Lucas Beerens, Desmond J Higham

{"title":"Adversarial ink: componentwise backward error attacks on deep learning","authors":"Lucas Beerens, Desmond J Higham","doi":"10.1093/imamat/hxad017","DOIUrl":null,"url":null,"abstract":"Abstract Deep neural networks are capable of state-of-the-art performance in many classification tasks. However, they are known to be vulnerable to adversarial attacks—small perturbations to the input that lead to a change in classification. We address this issue from the perspective of backward error and condition number, concepts that have proved useful in numerical analysis. To do this, we build on the work of Beuzeville, T., Boudier, P., Buttari, A., Gratton, S., Mary, T. and Pralet S. (2021) Adversarial attacks via backward error analysis. hal-03296180, version 3. In particular, we develop a new class of attack algorithms that use componentwise relative perturbations. Such attacks are highly relevant in the case of handwritten documents or printed texts where, for example, the classification of signatures, postcodes, dates or numerical quantities may be altered by changing only the ink consistency and not the background. This makes the perturbed images look natural to the naked eye. Such ‘adversarial ink’ attacks therefore reveal a weakness that can have a serious impact on safety and security. We illustrate the new attacks on real data and contrast them with existing algorithms. We also study the use of a componentwise condition number to quantify vulnerability.","PeriodicalId":56297,"journal":{"name":"IMA Journal of Applied Mathematics","volume":"22 1","pages":"0"},"PeriodicalIF":1.4000,"publicationDate":"2023-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IMA Journal of Applied Mathematics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1093/imamat/hxad017","RegionNum":4,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"MATHEMATICS, APPLIED","Score":null,"Total":0}

引用次数: 1

Abstract

Abstract Deep neural networks are capable of state-of-the-art performance in many classification tasks. However, they are known to be vulnerable to adversarial attacks—small perturbations to the input that lead to a change in classification. We address this issue from the perspective of backward error and condition number, concepts that have proved useful in numerical analysis. To do this, we build on the work of Beuzeville, T., Boudier, P., Buttari, A., Gratton, S., Mary, T. and Pralet S. (2021) Adversarial attacks via backward error analysis. hal-03296180, version 3. In particular, we develop a new class of attack algorithms that use componentwise relative perturbations. Such attacks are highly relevant in the case of handwritten documents or printed texts where, for example, the classification of signatures, postcodes, dates or numerical quantities may be altered by changing only the ink consistency and not the background. This makes the perturbed images look natural to the naked eye. Such ‘adversarial ink’ attacks therefore reveal a weakness that can have a serious impact on safety and security. We illustrate the new attacks on real data and contrast them with existing algorithms. We also study the use of a componentwise condition number to quantify vulnerability.

查看原文本刊更多论文

对抗性墨水:对深度学习的组件向后错误攻击

摘要深度神经网络在许多分类任务中具有最先进的性能。然而，众所周知，它们很容易受到对抗性攻击——输入的微小扰动会导致分类的变化。我们从逆向误差和条件数的角度来解决这个问题，这些概念在数值分析中被证明是有用的。为此，我们以Beuzeville, T.， Boudier, P.， Buttari, A.， Gratton, S.， Mary, T.和Pralet S.(2021)的工作为基础，通过向后错误分析进行对抗性攻击。Hal-03296180，版本3。特别是，我们开发了一类新的攻击算法，使用组件相对摄动。这种攻击与手写文件或印刷文本高度相关，例如，签名的分类、邮政编码、日期或数字数量可以通过改变墨水的一致性而不是背景来改变。这使得被干扰的图像在肉眼看来很自然。因此，这种“对抗性墨水”攻击暴露了一个可能对安全和安保产生严重影响的弱点。我们举例说明了针对真实数据的新攻击，并将它们与现有算法进行了对比。我们还研究了使用组件条件数来量化脆弱性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IMA Journal of Applied Mathematics 数学-应用数学

CiteScore

2.30

自引率

8.30%

发文量

审稿时长

24 months

期刊介绍： The IMA Journal of Applied Mathematics is a direct successor of the Journal of the Institute of Mathematics and its Applications which was started in 1965. It is an interdisciplinary journal that publishes research on mathematics arising in the physical sciences and engineering as well as suitable articles in the life sciences, social sciences, and finance. Submissions should address interesting and challenging mathematical problems arising in applications. A good balance between the development of the application(s) and the analysis is expected. Papers that either use established methods to address solved problems or that present analysis in the absence of applications will not be considered. The journal welcomes submissions in many research areas. Examples are: continuum mechanics materials science and elasticity, including boundary layer theory, combustion, complex flows and soft matter, electrohydrodynamics and magnetohydrodynamics, geophysical flows, granular flows, interfacial and free surface flows, vortex dynamics; elasticity theory; linear and nonlinear wave propagation, nonlinear optics and photonics; inverse problems; applied dynamical systems and nonlinear systems; mathematical physics; stochastic differential equations and stochastic dynamics; network science; industrial applications.