These labels were automatically added by AI and may be inaccurate. For details, see About Literature Database.
Abstract
The rapid advancement of artificial intelligence within the realm of
cybersecurity raises significant security concerns. The vulnerability of deep
learning models in adversarial attacks is one of the major issues. In
adversarial machine learning, malicious users try to fool the deep learning
model by inserting adversarial perturbation inputs into the model during its
training or testing phase. Subsequently, it reduces the model confidence score
and results in incorrect classifications. The novel key contribution of the
research is to empirically test the black-box adversarial transferability
phenomena in cyber attack detection systems. It indicates that the adversarial
perturbation input generated through the surrogate model has a similar impact
on the target model in producing the incorrect classification. To empirically
validate this phenomenon, surrogate and target models are used. The adversarial
perturbation inputs are generated based on the surrogate-model for which the
hacker has complete information. Based on these adversarial perturbation
inputs, both surrogate and target models are evaluated during the inference
phase. We have done extensive experimentation over the CICDDoS-2019 dataset,
and the results are classified in terms of various performance metrics like
accuracy, precision, recall, and f1-score. The findings indicate that any deep
learning model is highly susceptible to adversarial attacks, even if the
attacker does not have access to the internal details of the target model. The
results also indicate that white-box adversarial attacks have a severe impact
compared to black-box adversarial attacks. There is a need to investigate and
explore adversarial defence techniques to increase the robustness of the deep
learning models against adversarial attacks.
External Datasets
CICDDoS-2019
References
IEEE Access
A survey on machine learning techniques for cyber security in the last decade
K. Shaukat, S. Luo, V. Varadharajan, I. A. Hameed, M. Xu
Published: 2020
Lecture Notes in Electrical Engineering
A Systematic Review of Deep Learning Approaches for Computer Network and Information Security
K. Roshan, A. Zafar
Published: 2022
Lecture Notes on Data Engineering and Communications Technologies
Deep Learning Approaches for Anomaly and Intrusion Detection in Computer Network: A Review
European Symposium on Security and Privacy (EuroS&P)
The Limitations of Deep Learning in Adversarial Settings
Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, Ananthram Swami
Published: 11.24.2015
Deep learning takes advantage of large datasets and computationally efficient
training algorithms to outperform other approaches at various machine learning
tasks. However, imperfections in the training phase of deep neural networks
make them vulnerable to adversarial samples: inputs crafted by adversaries with
the intent of causing deep neural networks to misclassify. In this work, we
formalize the space of adversaries against deep neural networks (DNNs) and
introduce a novel class of algorithms to craft adversarial samples based on a
precise understanding of the mapping between inputs and outputs of DNNs. In an
application to computer vision, we show that our algorithms can reliably
produce samples correctly classified by human subjects but misclassified in
specific targets by a DNN with a 97% adversarial success rate while only
modifying on average 4.02% of the input features per sample. We then evaluate
the vulnerability of different sample classes to adversarial perturbations by
defining a hardness measure. Finally, we describe preliminary work outlining
defenses against adversarial samples by defining a predictive measure of
distance between a benign input and a target classification.
Towards Evaluating the Robustness of Neural Networks
Nicholas Carlini, David Wagner
Published: 8.17.2016
Neural networks provide state-of-the-art results for most machine learning
tasks. Unfortunately, neural networks are vulnerable to adversarial examples:
given an input $x$ and any target classification $t$, it is possible to find a
new input $x'$ that is similar to $x$ but classified as $t$. This makes it
difficult to apply neural networks in security-critical areas. Defensive
distillation is a recently proposed approach that can take an arbitrary neural
network, and increase its robustness, reducing the success rate of current
attacks' ability to find adversarial examples from $95\%$ to $0.5\%$.
In this paper, we demonstrate that defensive distillation does not
significantly increase the robustness of neural networks by introducing three
new attack algorithms that are successful on both distilled and undistilled
neural networks with $100\%$ probability. Our attacks are tailored to three
distance metrics used previously in the literature, and when compared to
previous adversarial example generation algorithms, our attacks are often much
more effective (and never worse). Furthermore, we propose using high-confidence
adversarial examples in a simple transferability test we show can also be used
to break defensive distillation. We hope our attacks will be used as a
benchmark in future defense attempts to create neural networks that resist
adversarial examples.
Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples
Nicolas Papernot, Patrick McDaniel, Ian Goodfellow
Published: 5.24.2016
Many machine learning models are vulnerable to adversarial examples: inputs
that are specially crafted to cause a machine learning model to produce an
incorrect output. Adversarial examples that affect one model often affect
another model, even if the two models have different architectures or were
trained on different training sets, so long as both models were trained to
perform the same task. An attacker may therefore train their own substitute
model, craft adversarial examples against the substitute, and transfer them to
a victim model, with very little information about the victim. Recent work has
further developed a technique that uses the victim model as an oracle to label
a synthetic training set for the substitute, so the attacker need not even
collect a training set to mount the attack. We extend these recent techniques
using reservoir sampling to greatly enhance the efficiency of the training
procedure for the substitute model. We introduce new transferability attacks
between previously unexplored (substitute, victim) pairs of machine learning
model classes, most notably SVMs and decision trees. We demonstrate our attacks
on two commercial machine learning classification systems from Amazon (96.19%
misclassification rate) and Google (88.94%) using only 800 queries of the
victim model, thereby showing that existing machine learning approaches are in
general vulnerable to systematic black-box attacks regardless of their
structure.
