Yushi Cheng
Abstract
The rising demand for utilizing fine-grained data in deep-learning (DL) based intelligent systems presents challenges for the collection and transmission abilities of real-world devices. Deep compressive sensing, which employs deep learning algorithms to compress signals at the sensing stage and reconstruct them with high quality at the receiving stage, provides a state-of-the-art solution for the problem of large-scale fine-grained data. However, recent works have proven that fatal security flaws exist in current deep learning methods and such instability is universal for DL-based image reconstruction methods. In this article, we assess the security risks introduced by deep compressive sensing in the widely used computer vision system in the face of adversarial example attacks and poisoning attacks. To implement the security inspection in an unbiased and complete manner, we develop a comprehensive methodology and a set of evaluation metrics to manage all potential combinations of attack methods, datasets (application scenarios), categories of deep compressive sensing models, and image classifiers. The results demonstrate that deep compressive sensing models unknown to adversaries can protect the computer vision system from adversarial example attacks and poisoning attacks, whereas the ones exposed to adversaries can cause the system to become more vulnerable.
- [1] . 2020. On instabilities of deep learning in image reconstruction and the potential costs of AI. Proceedings of the National Academy of Sciences (PNAS’20) 117, 48 (2020), 30088–30095.Google Scholar
Cross Ref
- [2] . 2014. Microwave imaging of nonweak targets via compressive sensing and virtual experiments. IEEE Antennas and Wireless Propagation Letters 14 (2014), 1035–1038.Google ScholarCross Ref
- [3] . 2015. A survey of compressed sensing. In Compressed Sensing and Its Applications. Springer, 1–39.Google ScholarCross Ref
- [4] . 2017. Towards evaluating the robustness of neural networks. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP’17). 39–57.Google Scholar
- [5] . 2017. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec’17). 15–26.Google Scholar
- [6] Muhammad E. H. Chowdhury, Tawsifur Rahman, Amith Khandakar, Rashid Mazhar, Muhammad Abdul Kadir, Zaid Bin Mahbub, Khandakar Reajul Islam, Muhammad Salman Khan, Atif Iqbal, Nasser Al Emadi, Mamun Bin Ibne Reaz, and Mohammad Tariqul Islam. 2020. Can AI help in screening viral and COVID-19 Pneumonia? IEEE Access 8 (2020), 132665–132676.Google ScholarCross Ref
- [7] . 2021. Measuring robustness in deep learning based compressive sensing. In Proceedings of the 38th International Conference on Machine Learning (ICML’21). 2433–2444.Google Scholar
- [8] . 2020. Compressive recovery defense: Defending neural networks against \(\mathbf {L}\_2\), \(\mathbf {L}\_\infty\) and \(\mathbf {L}\_0\) norm attacks. In Proceedings of the 2020 International Joint Conference on Neural Networks (IJCNN’20). 1–8.Google ScholarCross Ref
- [9] . 2017. IoT based compressive sensing for ECG monitoring. In Proceedings of the 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 183–189.Google ScholarCross Ref
- [10] . 2018. Boosting adversarial attacks with momentum. In Proceedings of the 2018 IEEE Conference on Computer vision and Pattern Recognition (CVPR’18). 9185–9193.Google ScholarCross Ref
- [11] . 2006. Compressed sensing. IEEE Transactions on Information Theory 52, 4 (2006), 1289–1306.Google ScholarDigital Library
- [12] . 2016. A study of the effect of JPG compression on adversarial images. arXiv preprint arXiv:1608.00853 (2016).Google Scholar
- [13] . 2022. Multi-view fusion of sensor data for improved perception and prediction in autonomous driving. In Proceedings of the 2022 IEEE/CVF Winter Conference on Applications of Computer Vision. 2349–2357.Google ScholarCross Ref
- [14] . 2022. Solving inverse problems with deep neural networksRobustness included. IEEE Transactions on Pattern Analysis and Machine Intelligence (2022), 1–1.Google Scholar
- [15] . 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).Google Scholar
- [16] . 2020. The troublesome kernel: Why deep learning for inverse problems is typically unstable. arXiv preprint arXiv:2001.01258 (2020).Google Scholar
- [17] . 2019. Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7 (2019), 47230–47244.Google ScholarCross Ref
- [18] . 2018. Some investigations on robustness of deep learning in limited angle tomography. In Proceedings of the 2018 Medical Image Computing and Computer Assisted Intervention (MICCAI’18). 145–153.Google Scholar
- [19] . 2020. Compressive sensing spectroscopy using a residual convolutional neural network. Sensors 20, 3 (2020), 594.Google ScholarCross Ref
- [20] . 2021. Compressive imaging for defending deep neural networks from adversarial attacks. Optics Letters 46, 8 (2021), 1951–1954.Google ScholarCross Ref
- [21] . 2021. Compressive imaging for thwarting adversarial attacks on 3D point cloud classifiers. Optics Express 29, 26 (2021), 42726–42737.Google ScholarCross Ref
- [22] Alex Krizhevsky and Geoffrey Hinton. 2009. Learning multiple layers of features from tiny images. Technical report University of Toronto (2009).Google Scholar
- [23] . 2012. Compressed sensing signal and data acquisition in wireless sensor networks and Internet of Things. IEEE Transactions on Industrial Informatics 9 (2012), 2177–2186.Google ScholarCross Ref
- [24] . 2018. Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR’18). 1778–1787.Google ScholarCross Ref
- [25] . 2018. Large-scale celebfaces attributes (Celeba) dataset. Retrieved August 15, 2018 (2018), 11.Google Scholar
- [26] . 2020. Determining the thermal characteristics of breast cancer based on high-resolution infrared imaging, 3D breast scans, and magnetic resonance imaging. Scientific Reports 10 (2020), 1–14.Google ScholarCross Ref
- [27] . 2019. Explaining vulnerabilities to adversarial machine learning through visual analytics. IEEE Transactions on Visualization and Computer Graphics 26 (2019), 1075–1085.Google ScholarCross Ref
- [28] . 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).Google Scholar
- [29] . 2015. A deep learning approach to structured signal recovery. In Proceedings of the 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton’15). 1336–1343.Google ScholarDigital Library
- [30] . 2019. Poisoning attacks with generative adversarial nets. arXiv preprint arXiv:1906.07773 (2019).Google Scholar
- [31] . 1992. Nonlinear total variation based noise removal algorithms. Physica D: Nonlinear Phenomena 60, 1-4 (1992), 259–268.Google ScholarDigital Library
- [32] . 2017. A deep cascade of convolutional neural networks for dynamic MR image reconstruction. IEEE transactions on Medical Imaging 37, 2 (2017), 491–503.Google ScholarCross Ref
- [33] . 2019. Image compressed sensing using convolutional neural network. IEEE Transactions on Image Processing 29 (2019), 375–388.Google ScholarDigital Library
- [34] . 2018. Physical adversarial examples for object detectors. In Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT’18).Google Scholar
- [35] . 2022. CSG: Classifier-aware defense strategy based on compressive sensing and generative networks for visual recognition in autonomous vehicle systems. IEEE Transactions on Intelligent Transportation Systems (2022), 1–11.Google Scholar
- [36] . 2004. Image quality assessment: From error visibility to structural similarity. IEEE Transactions on Image Processing 13, 4 (2004), 600–612.Google ScholarDigital Library
- [37] . 2019. Deep compressed sensing. In Proceedings of the 36th International Conference on Machine Learning (ICML’19). 6850–6860.Google Scholar
- [38] . 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017).Google Scholar
- [39] . 2020. Facescape: A large-scale high quality 3D face dataset and detailed riggable 3D face prediction. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR’20). 601–610.Google ScholarCross Ref
- [40] . 2018. ISTA-Net: Interpretable optimization-inspired deep network for image compressive sensing. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR’18). 1828–1837.Google ScholarCross Ref
- [41] . 2019. Defending against whitebox adversarial attacks via randomized discretization. In Proceedings of the 22nd International Conference on Artificial Intelligence and Statistics (AISTATS’19). 684–693.Google Scholar
- [42] . 2016. Loss functions for image restoration with neural networks. IEEE Transactions on Computational Imaging 3, 1 (2016), 47–57.Google ScholarCross Ref
Index Terms
- Evaluating Compressive Sensing on the Security of Computer Vision Systems
Recommendations
Image compressive sensing via Truncated Schatten-p Norm regularization
Low-rank property as a useful image prior has attracted much attention in image processing communities. Recently, a nonlocal low-rank regularization (NLR) approach toward exploiting low-rank property has shown the state-of-the-art performance in ...
Adversarial machine learning for cybersecurity and computer vision: Current developments and challenges
AbstractWe provide a comprehensive overview of adversarial machine learning focusing on two application domains, that is, cybersecurity and computer vision. Research in adversarial machine learning addresses a significant threat to the wide application of ...
Poisoning attack contaminates the training data to render a classifier useless; evasion attack generates adversarial samples at test time; membership inference attack and model inversion attack aim to infer information about data points used in the ...
Compressive sensing via nonlocal low-rank tensor regularization
The aim of Compressing sensing (CS) is to acquire an original signal, when it is sampled at a lower rate than Nyquist rate previously. In the framework of CS, the original signal is often assumed to be sparse and correlated in some domain. Recently, ...
Comments