AdversarialAware Deep Learning System Based on a Secondary Classical Machine Learning Verification Approach
Abstract
:1. Introduction
1.1. Inspiration
1.2. Research Contributions and Paper Outline
1.3. Related Work
1.3.1. Adversarial Attacks
1.3.2. Adversarial Defenses
2. Materials and Methods
2.1. Motivation and Threat Model
2.2. Proposed Methodology
2.2.1. Category of Image Dataset
 SETcrc: The set of images that the DNN can correctly identify;
 SETmis: The set of images that the DNN misidentifies (misclassification);
 SETadv: The set of images produced by AML that can successfully and deliberately make the DNN misidentify as another object the attacker wants.
Algorithm 1: Categorize Image Dataset. 

2.2.2. Detection Algorithm
Algorithm 2: AdversarialAware Deep Learning System. 

2.3. Defense System Adaptive Design
2.3.1. Outputs of Our Proposed AdversarialAware Image Recognition System
 Decision A ($De{c}_{a}$): An image in SETcrc that is authentic and correctly identified;
 Decision B ($De{c}_{b}$): An image in SETmis that is correctly identified as forged;
 Decision C ($De{c}_{c}$): An image in SETadv that is correctly identified as forged;
 Decision D ($De{c}_{d}$): An image in SETcrc that is misidentified as forged;
 Decision E ($De{c}_{e}$): An image in SETmis that is misidentified as authentic and misclassified;
 Decision F ($De{c}_{f}$): An image in SETadv that is misidentified as authentic.
2.3.2. Adjustable Parameter in Our Proposed System
2.3.3. Using Objective Cost Function to Achieve Optimal Defense
Algorithm 3: Adaptive Design Algorithm. 

2.3.4. Examples of Adjusting Weights on Different Applications
 Autonomous driving: We can define ${C}_{a}$ = 0.3, ${C}_{b}$ = 0.1, and ${C}_{c}$ = 0.5. The value of ${C}_{c}$ is higher than ${C}_{a}$ because in autonomous driving, it is more important for us to detect an adversarial attack than to correctly identify a normal roadside sign image. Similarly, we can define ${C}_{d}$ = 0.1, ${C}_{e}$ = 0.3, and ${C}_{f}$ = 0.8. We define ${C}_{f}$ as having a significantly higher value than others because $De{c}_{f}$ means autonomous driving is compromised under a deliberate adversarial attack. For example, we could treat a STOP sign image as a rightturnonly sign, which could result in serious accident consequences. The value of ${C}_{e}$ is higher than ${C}_{b}$ in detecting misclassified images by the model due to the risk value we assume.
 Healthcare: Although deeplearningbased healthcare systems could achieve high accuracy in disease diagnosis, few such systems have been deployed in highly automated disease screening settings due to a lack of trust. Therefore, the humanbased doublecheck process is usually used, and hence, the deep learning healthcare system can be tolerated in the security. Example values of the weights are ${C}_{a}$ = 0.7, ${C}_{b}$ = 0.4, ${C}_{c}$ = 0.1, ${C}_{d}$ = 0.4, ${C}_{e}$ = 0.1, and ${C}_{f}$ = 0.3. ${C}_{a}$ is the highest cost weight because the physician will most likely discover failure in other decisions during manual double checking.
 Face recognition in checking work attendance: Misrecognition or adversarial impact is low because the potential of utilizing these challenges by the employees is rare. Therefore, we can obtain higher positive gain values with ${C}_{a}$ = 0.7, ${C}_{b}$ = 0.4, and ${C}_{c}$ = 0.2. In contrast, we can value the negative decisions as ${C}_{d}$ = 0.4, ${C}_{e}$ = 0.2, and ${C}_{f}$ = 0.2.
 Detecting inappropriate digital content: Mispredicting nudity images to protect children is another example where the costs of an AML attack are medium—not as risky as in autonomous driving, nor as tolerable as in face recognition. Hence, we can choose ${C}_{a}$ = 0.7, ${C}_{b}$ = 0.1, ${C}_{c}$ = 0.2, ${C}_{d}$ = 0.3, ${C}_{e}$ = 0.1, and ${C}_{f}$ = 0.1.
2.3.5. The Cost of Misclassified Clean Images
2.3.6. Evaluation Metric
3. Results
3.1. Experimental Setup
3.2. Adversarial Attack Configuration
3.3. Main Results
4. Discussion
4.1. Justifications
4.2. Model Scalability
4.3. Challenges
4.4. Future Work
5. Conclusions
Author Contributions
Funding
Conflicts of Interest
Abbreviations
DNN  Deep neural network 
ML  Machine learning 
Top_k  The index of the top k classes of a model prediction 
AML  Adversarial machine learning 
AI  Artificial intelligence 
FGSM  Fast gradient sign method 
CW  Carlini and Wagner attack 
PGD  Projected gradient descent attack 
ComCNN  Compression convolutional neural network 
kNN  Knearest neighbors 
LID  Local intrinsic dimensionality 
MART  MisclassificationAware adveRsarial Training 
AUC  Area under the ROC curve 
SVM  Support vector machine 
References
 Goodfellow, I.J.; Shlens, J.; Szegedy, C. Explaining and harnessing adversarial examples. arXiv 2014, arXiv:1412.6572. [Google Scholar]
 Krizhevsky, A.; Sutskever, I.; Hinton, G.E. Imagenet classification with deep convolutional neural networks. Commun. Acm 2017, 60, 84–90. [Google Scholar] [CrossRef] [Green Version]
 Vaswani, A.; Shazeer, N.; Parmar, N.; Uszkoreit, J.; Jones, L.; Gomez, A.N.; Kaiser, Ł.; Polosukhin, I. Attention is all you need. Adv. Neural Inf. Process. Syst. 2017, 30, arXiv:1706.03762. [Google Scholar]
 Alkhowaiter, M.; Almubarak, K.; Zou, C. Evaluating perceptual hashing algorithms in detecting image manipulation over social media platforms. In Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience (CSR), Rhodes, Greece, 27–29 July 2022; pp. 149–156. [Google Scholar]
 Alkhowaiter, M.; Almubarak, K.; Alyami, M.; Alghamdi, A.; Zou, C. Image Authentication Using SelfSupervised Learning to Detect Manipulation Over Social Network Platforms. In Proceedings of the MILCOM 20222022 IEEE Military Communications Conference (MILCOM), Rockville, MD, USA, 28 November–2 December 2022; pp. 672–678. [Google Scholar]
 Reddy, T.; RM, S.P.; Parimala, M.; Chowdhary, C.L.; Hakak, S.; Khan, W.Z. A deep neural networks based model for uninterrupted marine environment monitoring. Comput. Commun. 2020, 157, 64–75. [Google Scholar]
 Stone, P.; Brooks, R.; Brynjolfsson, E.; Calo, R.; Etzioni, O.; Hager, G.; Hirschberg, J.; Kalyanakrishnan, S.; Kamar, E.; Kraus, S.; et al. Artificial intelligence and life in 2030: The one hundred year study on artificial intelligence. arXiv 2022, arXiv:2211.06318. [Google Scholar]
 Krizhevsky, A.; Hinton, G. Learning Multiple Layers of Features from Tiny Images; Technical Report; CIFAR: online, 2009; Available online: https://www.cs.utoronto.ca/~kriz/learningfeatures2009TR.pdf (accessed on 30 May 2023).
 Papernot, N.; McDaniel, P. Deep knearest neighbors: Towards confident, interpretable and robust deep learning. arXiv 2018, arXiv:1803.04765. [Google Scholar]
 Ma, X.; Li, B.; Wang, Y.; Erfani, S.M.; Wijewickrema, S.; Schoenebeck, G.; Song, D.; Houle, M.E.; Bailey, J. Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv 2018, arXiv:1801.02613. [Google Scholar]
 Lee, K.; Lee, K.; Lee, H.; Shin, J. A simple unified framework for detecting outofdistribution samples and adversarial attacks. Adv. Neural Inf. Process. Syst. 2018, 31, arXiv:1807.03888. [Google Scholar]
 Cohen, G.; Sapiro, G.; Giryes, R. Detecting adversarial samples using influence functions and nearest neighbors. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA, 14–19 June 2020; pp. 14453–14462. [Google Scholar]
 MoosaviDezfooli, S.M.; Fawzi, A.; Frossard, P. Deepfool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 2574–2582. [Google Scholar]
 Carlini, N.; Wagner, D. Towards evaluating the robustness of neural networks. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2017; pp. 39–57. [Google Scholar]
 Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; Vladu, A. Towards deep learning models resistant to adversarial attacks. arXiv 2017, arXiv:1706.06083. [Google Scholar]
 Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z.B.; Swami, A. The limitations of deep learning in adversarial settings. In Proceedings of the 2016 IEEE European symposium on security and privacy (EuroS&P), Saarbrucken, Germany, 21–24 March 2016; pp. 372–387. [Google Scholar]
 Chen, P.Y.; Sharma, Y.; Zhang, H.; Yi, J.; Hsieh, C.J. Ead: Elasticnet attacks to deep neural networks via adversarial examples. In Proceedings of the AAAI Conference on Artificial Intelligence, New Orleans, LA, USA, 2–7 February 2018; Volume 32. [Google Scholar]
 Akhtar, N.; Mian, A. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access 2018, 6, 14410–14430. [Google Scholar] [CrossRef]
 Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; Fergus, R. Intriguing properties of neural networks. arXiv 2013, arXiv:1312.6199. [Google Scholar]
 Wang, Y.; Zou, D.; Yi, J.; Bailey, J.; Ma, X.; Gu, Q. Improving adversarial robustness requires revisiting misclassified examples. In Proceedings of the International Conference on Learning Representations, Addis Ababa, Ethiopia, 26–30 April 2020. [Google Scholar]
 Vivek, B.S.; Babu, R.V. Singlestep Adversarial training with Dropout Scheduling. arXiv 2020, arXiv:cs.LG/2004.08628. [Google Scholar]
 Naseer, M.; Khan, S.; Hayat, M.; Khan, F.S.; Porikli, F. A selfsupervised approach for adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA, 13–19 June 2020; pp. 262–271. [Google Scholar]
 Chen, T.; Liu, S.; Chang, S.; Cheng, Y.; Amini, L.; Wang, Z. Adversarial robustness: From selfsupervised pretraining to finetuning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA, 13–19 June 2020; pp. 699–708. [Google Scholar]
 Jia, X.; Wei, X.; Cao, X.; Foroosh, H. Comdefend: An efficient image compression model to defend adversarial examples. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, CA, USA, 15–20 June 2019; pp. 6084–6092. [Google Scholar]
 Samangouei, P.; Kabkab, M.; Chellappa, R. Defensegan: Protecting classifiers against adversarial attacks using generative models. arXiv 2018, arXiv:1805.06605. [Google Scholar]
 He, K.; Zhang, X.; Ren, S.; Sun, J. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 770–778. [Google Scholar]
 Simonyan, K.; Zisserman, A. Very deep convolutional networks for largescale image recognition. arXiv 2014, arXiv:1409.1556. [Google Scholar]
 Huang, G.; Liu, Z.; Van Der Maaten, L.; Weinberger, K.Q. Densely connected convolutional networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, HI, USA, 21–26 July 2017; pp. 4700–4708. [Google Scholar]
 Waseda, F.; Nishikawa, S.; Le, T.N.; Nguyen, H.H.; Echizen, I. Closer Look at the Transferability of Adversarial Examples: How They Fool Different Models Differently. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, Waikoloa, HI, USA, 2–7 January 2023; pp. 1360–1368. [Google Scholar]
 Liaw, A.; Wiener, M. Classification and regression by randomForest. R News 2002, 2, 18–22. [Google Scholar]
 Apruzzese, G.; Colajanni, M. Evading Botnet Detectors Based on Flows and Random Forest with Adversarial Samples. In Proceedings of the 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 1–3 November 2018; pp. 1–8. [Google Scholar] [CrossRef]
 Cutler, D.R.; Edwards Jr, T.C.; Beard, K.H.; Cutler, A.; Hess, K.T.; Gibson, J.; Lawler, J.J. Random forests for classification in ecology. Ecology 2007, 88, 2783–2792. [Google Scholar] [CrossRef]
 Strobl, C.; Malley, J.; Tutz, G. An introduction to recursive partitioning: Rationale, application, and characteristics of classification and regression trees, bagging, and random forests. Psychol. Methods 2009, 14, 323. [Google Scholar] [CrossRef] [Green Version]
 Phua, C.; Lee, V.; Smith, K.; Gayler, R. A comprehensive survey of data miningbased fraud detection research. arXiv 2010, arXiv:1009.6119. [Google Scholar]
 Steele II, B.; Kholidy, H.A. 5G Networks Security: Attack Detection Using the J48 and the Random Forest Tree Classifiers; SUNY Polytechnic Institute: Utica, NY, USA, 2020. [Google Scholar]
 Alyami, M.; Alkhowaiter, M.; Ghanim, M.A.; Zou, C.; Solihin, Y. MACLayer Traffic Shaping Defense Against WiFi Device Fingerprinting Attacks. In Proceedings of the 2022 IEEE Symposium on Computers and Communications (ISCC), Rhodes, Greece, 30 June–3 July 2022; pp. 1–7. [Google Scholar] [CrossRef]
 Pedregosa, F.; Varoquaux, G.; Gramfort, A.; Michel, V.; Thirion, B.; Grisel, O.; Blondel, M.; Prettenhofer, P.; Weiss, R.; Dubourg, V.; et al. Scikitlearn: Machine Learning in Python. J. Mach. Learn. Res. 2011, 12, 2825–2830. [Google Scholar]
 Falcon, W. The PyTorch Lightning team. Pytorch Light. 2019. [Google Scholar] [CrossRef]
 Kim, H. Torchattacks: A pytorch repository for adversarial attacks. arXiv 2020, arXiv:2010.01950. [Google Scholar]
 Alyami, M.; Alharbi, I.; Zou, C.; Solihin, Y.; Ackerman, K. WiFibased IoT Devices Profiling Attack based on Eavesdropping of Encrypted WiFi Traffic. In Proceedings of the 2022 IEEE 19th Annual Consumer Communications Networking Conference (CCNC), Las Vegas, NV, USA, 8–11 January 2022; pp. 385–392. [Google Scholar] [CrossRef]
 Cortes, C.; Vapnik, V. Supportvector networks. Mach. Learn. 1995, 20, 273–297. [Google Scholar] [CrossRef]
 Deng, J.; Dong, W.; Socher, R.; Li, L.J.; Li, K.; FeiFei, L. Imagenet: A largescale hierarchical image database. In Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition, Miami, FL, USA, 20–25 June 2009; pp. 248–255. [Google Scholar]
Attack  Targeted Model  Untargeted Models  

ResNet34  VGG16  DenseNet  
Accuracies (%)  Without attack  77.47  72.25  78.69 
FGSM  34.25  35.09  36.19  
Deepfool  25.78  24.79  24.84  
CW  25.77  24.49  25.0  
PGD  22.58  22.87  22.7 
Application  Wight  Accuracy Based on Best Top_n Selection from Formula (1)  

FGSM  acc.  DeepFool  acc.  CW  acc.  PGD  acc.  
Autonomous driving  ${C}_{a}=0.3$ ${C}_{b}=0.1$ ${C}_{c}=0.5$ ${C}_{d}=0.1$ ${C}_{e}=0.3$ ${C}_{f}=0.8$  Top_1  81.14%  Top_1  89.84%  Top_1  89.68%  Top_1  90.04% 
Health care  ${C}_{a}=0.7$ ${C}_{b}=0.4$ ${C}_{c}=0.1$ ${C}_{d}=0.4$ ${C}_{e}=0.1$ ${C}_{f}=0.3$  Top_5  77.66%  Top_1  89.84%  Top_1  89.68%  Top_1  90.04% 
Face recognition  ${C}_{a}=0.7$ ${C}_{b}=0.4$ ${C}_{c}=0.2$ ${C}_{d}=0.4$ ${C}_{e}=0.2$ ${C}_{f}=0.2$  Top_3  79.06%  Top_1  89.84%  Top_1  89.68%  Top_1  90.04% 
Inappropriate content  ${C}_{a}=0.7$ ${C}_{b}=0.1$ ${C}_{c}=0.2$ ${C}_{d}=0.3$ ${C}_{e}=0.1$ ${C}_{f}=0.1$  Top_14  70.14%  Top_1  89.84%  Top_1  89.68%  Top_1  90.04% 
Targeted Model  Dataset  Adversarial Attack  Parameters  Attack Success Ratio (%) 

ResNet34  CIFAR100  FGSM  $\u03f5$ = 0.007  65.75 
Deepfool  s = 50, overshoot = 0.02  99.92  
CW  c = 1.0, $\kappa $ = 0, s = 50, lr = 0.01  98.64  
PGD  $\u03f5$ = 0.03, $\alpha $ = 0.004, s = 40  98.83 
Detector  AUC Score  

FGSM  Deepfool  CW  PGD  
DkNN [9]  93.65  76.71  93.77  73.78 
LID [10]  80.68  52.25  67.84  72.25 
Mahalanibis [11]  83.90  62.05  71.60  72.46 
NNIF [12]  87.23  84.20  94.58  83.09 
Top_1  86.62  97.57  98.21  96.49 
Top_22  94.17  74.17  83.50  86.04 
Application  w/o Misclassification (%)  With Misclassification (%) 

Autonomous driving  62.81  81.14 
Health care  63.20  77.66 
Face recognition  61.66  79.60 
Detecting inappropriate content  60.08  70.14 
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. 
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alkhowaiter, M.; Kholidy, H.; Alyami, M.A.; Alghamdi, A.; Zou, C. AdversarialAware Deep Learning System Based on a Secondary Classical Machine Learning Verification Approach. Sensors 2023, 23, 6287. https://doi.org/10.3390/s23146287
Alkhowaiter M, Kholidy H, Alyami MA, Alghamdi A, Zou C. AdversarialAware Deep Learning System Based on a Secondary Classical Machine Learning Verification Approach. Sensors. 2023; 23(14):6287. https://doi.org/10.3390/s23146287
Chicago/Turabian StyleAlkhowaiter, Mohammed, Hisham Kholidy, Mnassar A. Alyami, Abdulmajeed Alghamdi, and Cliff Zou. 2023. "AdversarialAware Deep Learning System Based on a Secondary Classical Machine Learning Verification Approach" Sensors 23, no. 14: 6287. https://doi.org/10.3390/s23146287