Semantic Preserving Adversarial Attack Generation with Autoencoder and Genetic Algorithm

Widely used deep learning models are found to have poor robustness. Little noises can fool state-of-the-art models into making incorrect predictions. While there is a great deal of high-performance attack generation methods, most of them directly add perturbations to original data and measure them u...

Full description

Saved in:
Bibliographic Details
Published inGLOBECOM 2022 - 2022 IEEE Global Communications Conference pp. 80 - 85
Main Authors Wang, Xinyi, Enoch, Simon Yusuf, Kim, Dan Dongseong
Format Conference Proceeding
LanguageEnglish
Published IEEE 04.12.2022
Subjects
Adversarial attack
Attack generation
Closed box
Cyber-attacks
Deep Learning
Defense
Feature extraction
Graphics processing units
Machine learning
Neural networks
Perturbation methods
Predictive models
Semantics
Training
Online AccessGet full text

Cover

More Information
Summary:Widely used deep learning models are found to have poor robustness. Little noises can fool state-of-the-art models into making incorrect predictions. While there is a great deal of high-performance attack generation methods, most of them directly add perturbations to original data and measure them using L_p norms; this can break the major structure of data, thus, creating invalid attacks. In this paper, we propose a black-box attack, which, instead of modifying original data, modifies latent features of data extracted by an autoencoder; then, we measure noises in semantic space to protect the semantics of data. We trained autoencoders on MNIST and CIFAR-10 datasets and found optimal adversarial perturbations using a genetic algorithm. Our approach achieved a 100% attack success rate on the first 100 data of MNIST and CIFAR-10 datasets with less perturbation than FGSM.
DOI:10.1109/GLOBECOM48099.2022.10000826