Adversarial attacks on neural networks
Deep learning is an artificial intelligence function that imitates the workings of the human brain in processing data and creating patterns for usage in decisions. In recent years, the popularity of deep learning has increased significantly when the technique became a practical and powerful tool for automating tasks. Due to its ability to learn complex abstract concepts, deep learning has been employed as a solution for many different cybersecurity tasks: malware detection, network intrusion detection, voice authentication, etc.
Neural networks form a basis for current deep learning applications. They were shown to be effective in domains that can provide a large amount of labeled data to be able to learn the classification model with a sufficient level of accuracy. One neural network is a network of interconnected nodes or neurons where a signal is transmitted from input neurons towards output neurons.
In the past decade, neural networks have been shown to be vulnerable to small adversarial perturbations either in the inputs or during the computation. Such adversarial attacks can cause misclassification and other attacker desired behaviour of the neural networks. Consequently resulting in harmful outcomes during the usage of those networks. For example, misclassification of a traffic sign can lead to severe accidents. In this talk, we will present a few adversarial attacks on neural networks and discuss the corresponding consequences.
Neural networks today achieve state-of-the-art results in image recognition, but they can be fooled by surprisingly small perturbations to the input. So-called adversarial attacks alter pixels or lighting conditions so subtly that a human barely notices the difference, while the model remains confidently certain of the wrong answer. The talk showed how such attacks work and why they matter for security in practice. A neural network is an interconnection of nodes that transforms an input into an output and is often used for classification, for example of images of cats and dogs. As early as 2014, authors showed that adding a very small, deliberately designed noise to the original image is enough to make the network change its mind with very high confidence, even though a human can barely see the change. The attack can be untargeted (it suffices to cause an error) or targeted, when the attacker forces the model to choose a specific incorrect class. An illustrative example: a photograph of a panda, after a subtle modification, starts being classified as a gibbon with near-absolute confidence.From neural networks to adversarial examples
