Evaluation of adversarial attacks against deep learning models
The aim of the project is to evaluate and improve adversarial attacks against deep learning models. Specifically, this project will focus on attacks on deep learning models specific to image processing and classification and will only take references from defense methods. The definition of evaluat...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2023
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/165158 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-165158 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1651582023-03-17T15:36:46Z Evaluation of adversarial attacks against deep learning models Lam, Sabrina Jing Wen Zhang Tianwei School of Computer Science and Engineering tianwei.zhang@ntu.edu.sg Engineering::Computer science and engineering The aim of the project is to evaluate and improve adversarial attacks against deep learning models. Specifically, this project will focus on attacks on deep learning models specific to image processing and classification and will only take references from defense methods. The definition of evaluation and improvement for this project would be to improve attack timings under the same computing resource and target model. A specific adversarial attack has been chosen in this project to focus on. Hence, understanding the various adversarial attacks on deep learning image classification models is essential in choosing which attack to focus on. The Projected Gradient Descent (PGD) attack was chosen for in-depth evaluation and improvement. The PGD attack explored in this project is a white box untargeted attack, specifically focusing on ∞ bound. Two datasets have also been used, the ImageNet dataset and CIFAR-10 dataset. Methods in order to improve effectiveness of the PGD attack were designed and attempted with the aim of improving attack timings. This is done in the form of attack variants. Four PGD variants have been crafted to test and improve its effectiveness against the standard PGD attacks and will be compared in two areas, attack timing and attack success rate (ASR). These four variants centre around the concept of randomness and decay in step sizes as well as the surrogate loss function of the PGD attacks. In total, six PGD attacks have been crafted, four variants and two standard PGD attacks for comparison. These six PGD attacks are then implemented on the two different datasets mentioned above, ImageNet and CIFAR-10. Hence, a total of twelve attacks were designed and implemented. The experimental results show that the PGD variants do improve effectiveness compared to standard PGD attacks. However, the variants are only effective in one area out of the two, either more effective in terms of attack timing or ASR. Brief improvements also have been attempted on the variants. Since the improvements attempted are brief, more research has to be done to successfully improve the variants. The experimental results also show that the properties of the variants along with using different surrogate loss functions produce different results when implemented on the different datasets. Overall, this project has proven that the concept of randomness in step size and concept of decay in step size are important factors of improving effectiveness of PGD attack. Additionally, this project has also proven that certain surrogate loss function is more suited and improves effectiveness of PGD attacks better for certain datasets. Definitely, this project opens opportunities for future work. Bachelor of Engineering (Computer Science) 2023-03-17T01:53:31Z 2023-03-17T01:53:31Z 2023 Final Year Project (FYP) Lam, S. J. W. (2023). Evaluation of adversarial attacks against deep learning models. Final Year Project (FYP), Nanyang Technological University, Singapore. https://hdl.handle.net/10356/165158 https://hdl.handle.net/10356/165158 en application/pdf Nanyang Technological University |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Computer science and engineering |
| spellingShingle |
Engineering::Computer science and engineering Lam, Sabrina Jing Wen Evaluation of adversarial attacks against deep learning models |
| description |
The aim of the project is to evaluate and improve adversarial attacks against deep
learning models. Specifically, this project will focus on attacks on deep learning
models specific to image processing and classification and will only take references from defense methods. The definition of evaluation and improvement
for this project would be to improve attack timings under the same computing
resource and target model.
A specific adversarial attack has been chosen in this project to focus on. Hence,
understanding the various adversarial attacks on deep learning image classification models is essential in choosing which attack to focus on. The
Projected Gradient Descent (PGD) attack was chosen for in-depth evaluation and
improvement. The PGD attack explored in this project is a white box untargeted
attack, specifically focusing on ∞ bound. Two datasets have also been used, the
ImageNet dataset and CIFAR-10 dataset.
Methods in order to improve effectiveness of the PGD attack were designed and
attempted with the aim of improving attack timings. This is done in the form of
attack variants. Four PGD variants have been crafted to test and improve its
effectiveness against the standard PGD attacks and will be compared in two areas, attack timing and attack success rate (ASR). These four variants centre around the concept of randomness and decay in step sizes as well as the surrogate loss function of the PGD attacks. In total, six PGD attacks have been crafted, four variants and two standard PGD attacks for comparison. These six PGD attacks are then implemented on the two different datasets mentioned above, ImageNet and CIFAR-10. Hence, a total of twelve attacks were designed and implemented.
The experimental results show that the PGD variants do improve effectiveness
compared to standard PGD attacks. However, the variants are only effective in
one area out of the two, either more effective in terms of attack timing or ASR.
Brief improvements also have been attempted on the variants. Since the
improvements attempted are brief, more research has to be done to successfully
improve the variants. The experimental results also show that the properties of
the variants along with using different surrogate loss functions produce different
results when implemented on the different datasets.
Overall, this project has proven that the concept of randomness in step size and
concept of decay in step size are important factors of improving effectiveness of
PGD attack. Additionally, this project has also proven that certain surrogate loss
function is more suited and improves effectiveness of PGD attacks better for
certain datasets. Definitely, this project opens opportunities for future work. |
| author2 |
Zhang Tianwei |
| author_facet |
Zhang Tianwei Lam, Sabrina Jing Wen |
| format |
Final Year Project |
| author |
Lam, Sabrina Jing Wen |
| author_sort |
Lam, Sabrina Jing Wen |
| title |
Evaluation of adversarial attacks against deep learning models |
| title_short |
Evaluation of adversarial attacks against deep learning models |
| title_full |
Evaluation of adversarial attacks against deep learning models |
| title_fullStr |
Evaluation of adversarial attacks against deep learning models |
| title_full_unstemmed |
Evaluation of adversarial attacks against deep learning models |
| title_sort |
evaluation of adversarial attacks against deep learning models |
| publisher |
Nanyang Technological University |
| publishDate |
2023 |
| url |
https://hdl.handle.net/10356/165158 |
| _version_ |
1761781376764346368 |