Evaluating Compressive Sensing on the Security of Computer Vision Systems
Authors: 
Yushi Cheng, Boyang Zhou, Yanjiao Chen, Yi-Chao Chen, Xiaoyu Ji, Wenyuan XuAuthors Info & Claims
Article No.: 56, Pages 1 - 24
Abstract
The rising demand for utilizing fine-grained data in deep-learning (DL) based intelligent systems presents challenges for the collection and transmission abilities of real-world devices. Deep compressive sensing, which employs deep learning algorithms to compress signals at the sensing stage and reconstruct them with high quality at the receiving stage, provides a state-of-the-art solution for the problem of large-scale fine-grained data. However, recent works have proven that fatal security flaws exist in current deep learning methods and such instability is universal for DL-based image reconstruction methods. In this article, we assess the security risks introduced by deep compressive sensing in the widely used computer vision system in the face of adversarial example attacks and poisoning attacks. To implement the security inspection in an unbiased and complete manner, we develop a comprehensive methodology and a set of evaluation metrics to manage all potential combinations of attack methods, datasets (application scenarios), categories of deep compressive sensing models, and image classifiers. The results demonstrate that deep compressive sensing models unknown to adversaries can protect the computer vision system from adversarial example attacks and poisoning attacks, whereas the ones exposed to adversaries can cause the system to become more vulnerable.
References
[1]
Vegard Antun, Francesco Renna, Clarice Poon, Ben Adcock, and Anders C. Hansen. 2020. On instabilities of deep learning in image reconstruction and the potential costs of AI. Proceedings of the National Academy of Sciences (PNAS’20) 117, 48 (2020), 30088–30095.
[2]
M. T. Bevacqua, L. Crocco, L. Di Donato, and T. Isernia. 2014. Microwave imaging of nonweak targets via compressive sensing and virtual experiments. IEEE Antennas and Wireless Propagation Letters 14 (2014), 1035–1038.
[3]
Holger Boche, Robert Calderbank, Gitta Kutyniok, and Jan Vybíral. 2015. A survey of compressed sensing. In Compressed Sensing and Its Applications. Springer, 1–39.
[4]
Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP’17). 39–57.
[5]
Pin-Yu Chen, Huan Zhang, Yash Sharma, Jinfeng Yi, and Cho-Jui Hsieh. 2017. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec’17). 15–26.
[6]
Muhammad E. H. Chowdhury, Tawsifur Rahman, Amith Khandakar, Rashid Mazhar, Muhammad Abdul Kadir, Zaid Bin Mahbub, Khandakar Reajul Islam, Muhammad Salman Khan, Atif Iqbal, Nasser Al Emadi, Mamun Bin Ibne Reaz, and Mohammad Tariqul Islam. 2020. Can AI help in screening viral and COVID-19 Pneumonia? IEEE Access 8 (2020), 132665–132676.
[7]
Mohammad Zalbagi Darestani, Akshay S. Chaudhari, and Reinhard Heckel. 2021. Measuring robustness in deep learning based compressive sensing. In Proceedings of the 38th International Conference on Machine Learning (ICML’21). 2433–2444.
[8]
Jasjeet Dhaliwal and Kyle Hambrook. 2020. Compressive recovery defense: Defending neural networks against \(\mathbf {L}\_2\), \(\mathbf {L}\_\infty\) and \(\mathbf {L}\_0\) norm attacks. In Proceedings of the 2020 International Joint Conference on Neural Networks (IJCNN’20). 1–8.
[9]
Hamza Djelouat, Hamza Baali, Abbes Amira, and Faycal Bensaali. 2017. IoT based compressive sensing for ECG monitoring. In Proceedings of the 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 183–189.
[10]
Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In Proceedings of the 2018 IEEE Conference on Computer vision and Pattern Recognition (CVPR’18). 9185–9193.
[11]
David L. Donoho. 2006. Compressed sensing. IEEE Transactions on Information Theory 52, 4 (2006), 1289–1306.
[12]
Gintare Karolina Dziugaite, Zoubin Ghahramani, and Daniel M. Roy. 2016. A study of the effect of JPG compression on adversarial images. arXiv preprint arXiv:1608.00853 (2016).
[13]
Sudeep Fadadu, Shreyash Pandey, Darshan Hegde, Yi Shi, Fang-Chieh Chou, Nemanja Djuric, and Carlos Vallespi-Gonzalez. 2022. Multi-view fusion of sensor data for improved perception and prediction in autonomous driving. In Proceedings of the 2022 IEEE/CVF Winter Conference on Applications of Computer Vision. 2349–2357.
[14]
Martin Genzel, Jan MacDonald, and Maximilian Marz. 2022. Solving inverse problems with deep neural networksRobustness included. IEEE Transactions on Pattern Analysis and Machine Intelligence (2022), 1–1.
[15]
Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[16]
Nina M. Gottschling, Vegard Antun, Ben Adcock, and Anders C. Hansen. 2020. The troublesome kernel: Why deep learning for inverse problems is typically unstable. arXiv preprint arXiv:2001.01258 (2020).
[17]
Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2019. Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7 (2019), 47230–47244.
[18]
Yixing Huang, Tobias Würfl, Katharina Breininger, Ling Liu, Günter Lauritsch, and Andreas Maier. 2018. Some investigations on robustness of deep learning in limited angle tomography. In Proceedings of the 2018 Medical Image Computing and Computer Assisted Intervention (MICCAI’18). 145–153.
[19]
Cheolsun Kim, Dongju Park, and Heung-No Lee. 2020. Compressive sensing spectroscopy using a residual convolutional neural network. Sensors 20, 3 (2020), 594.
[20]
Vladislav Kravets, Bahram Javidi, and Adrian Stern. 2021. Compressive imaging for defending deep neural networks from adversarial attacks. Optics Letters 46, 8 (2021), 1951–1954.
[21]
Vladislav Kravets, Bahram Javidi, and Adrian Stern. 2021. Compressive imaging for thwarting adversarial attacks on 3D point cloud classifiers. Optics Express 29, 26 (2021), 42726–42737.
[22]
Alex Krizhevsky and Geoffrey Hinton. 2009. Learning multiple layers of features from tiny images. Technical report University of Toronto (2009).
[23]
Shancang Li, Li Da Xu, and Xinheng Wang. 2012. Compressed sensing signal and data acquisition in wireless sensor networks and Internet of Things. IEEE Transactions on Industrial Informatics 9 (2012), 2177–2186.
[24]
Fangzhou Liao, Ming Liang, Yinpeng Dong, Tianyu Pang, Xiaolin Hu, and Jun Zhu. 2018. Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR’18). 1778–1787.
[25]
Ziwei Liu, Ping Luo, Xiaogang Wang, and Xiaoou Tang. 2018. Large-scale celebfaces attributes (Celeba) dataset. Retrieved August 15, 2018 (2018), 11.
[26]
Adolfo Lozano, Jody C. Hayes, Lindsay M. Compton, Jamasp Azarnoosh, and Fatemeh Hassanipour. 2020. Determining the thermal characteristics of breast cancer based on high-resolution infrared imaging, 3D breast scans, and magnetic resonance imaging. Scientific Reports 10 (2020), 1–14.
[27]
Yuxin Ma, Tiankai Xie, Jundong Li, and Ross Maciejewski. 2019. Explaining vulnerabilities to adversarial machine learning through visual analytics. IEEE Transactions on Visualization and Computer Graphics 26 (2019), 1075–1085.
[28]
Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017).
[29]
Ali Mousavi, Ankit B. Patel, and Richard G. Baraniuk. 2015. A deep learning approach to structured signal recovery. In Proceedings of the 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton’15). 1336–1343.
[30]
Luis Muñoz-González, Bjarne Pfitzner, Matteo Russo, Javier Carnerero-Cano, and Emil C. Lupu. 2019. Poisoning attacks with generative adversarial nets. arXiv preprint arXiv:1906.07773 (2019).
[31]
Leonid I. Rudin, Stanley Osher, and Emad Fatemi. 1992. Nonlinear total variation based noise removal algorithms. Physica D: Nonlinear Phenomena 60, 1-4 (1992), 259–268.
[32]
Jo Schlemper, Jose Caballero, Joseph V. Hajnal, Anthony N. Price, and Daniel Rueckert. 2017. A deep cascade of convolutional neural networks for dynamic MR image reconstruction. IEEE transactions on Medical Imaging 37, 2 (2017), 491–503.
[33]
Wuzhen Shi, Feng Jiang, Shaohui Liu, and Debin Zhao. 2019. Image compressed sensing using convolutional neural network. IEEE Transactions on Image Processing 29 (2019), 375–388.
[34]
Dawn Song, Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Florian Tramer, Atul Prakash, and Tadayoshi Kohno. 2018. Physical adversarial examples for object detectors. In Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT’18).
[35]
Jia Wang, Wuqiang Su, Chengwen Luo, Jie Chen, Houbing Song, and Jianqiang Li. 2022. CSG: Classifier-aware defense strategy based on compressive sensing and generative networks for visual recognition in autonomous vehicle systems. IEEE Transactions on Intelligent Transportation Systems (2022), 1–11.
[36]
Zhou Wang, Alan C. Bovik, Hamid R. Sheikh, and Eero P. Simoncelli. 2004. Image quality assessment: From error visibility to structural similarity. IEEE Transactions on Image Processing 13, 4 (2004), 600–612.
[37]
Yan Wu, Mihaela Rosca, and Timothy Lillicrap. 2019. Deep compressed sensing. In Proceedings of the 36th International Conference on Machine Learning (ICML’19). 6850–6860.
[38]
Weilin Xu, David Evans, and Yanjun Qi. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017).
[39]
Haotian Yang, Hao Zhu, Yanru Wang, Mingkai Huang, Qiu Shen, Ruigang Yang, and Xun Cao. 2020. Facescape: A large-scale high quality 3D face dataset and detailed riggable 3D face prediction. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR’20). 601–610.
[40]
Jian Zhang and Bernard Ghanem. 2018. ISTA-Net: Interpretable optimization-inspired deep network for image compressive sensing. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition (CVPR’18). 1828–1837.
[41]
Yuchen Zhang and Percy Liang. 2019. Defending against whitebox adversarial attacks via randomized discretization. In Proceedings of the 22nd International Conference on Artificial Intelligence and Statistics (AISTATS’19). 684–693.
[42]
Hang Zhao, Orazio Gallo, Iuri Frosio, and Jan Kautz. 2016. Loss functions for image restoration with neural networks. IEEE Transactions on Computational Imaging 3, 1 (2016), 47–57.
Index Terms
- Evaluating Compressive Sensing on the Security of Computer Vision Systems
Recommendations
Image compressive sensing via Truncated Schatten-p Norm regularization
Low-rank property as a useful image prior has attracted much attention in image processing communities. Recently, a nonlocal low-rank regularization (NLR) approach toward exploiting low-rank property has shown the state-of-the-art performance in ...
Adversarial machine learning for cybersecurity and computer vision: Current developments and challenges
AbstractWe provide a comprehensive overview of adversarial machine learning focusing on two application domains, that is, cybersecurity and computer vision. Research in adversarial machine learning addresses a significant threat to the wide application of ...
Poisoning attack contaminates the training data to render a classifier useless; evasion attack generates adversarial samples at test time; membership inference attack and model inversion attack aim to infer information about data points used in the ...
Compressive sensing via nonlocal low-rank tensor regularization
The aim of Compressing sensing (CS) is to acquire an original signal, when it is sampled at a lower rate than Nyquist rate previously. In the framework of CS, the original signal is often assumed to be sparse and correlated in some domain. Recently, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Journal Family
Publication History
Published: 13 March 2024
Online AM: 08 February 2024
Accepted: 22 January 2024
Revised: 05 December 2023
Received: 12 June 2023
Published in TOSN Volume 20, Issue 3
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Natural Science Foundation of China
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 278Total Downloads
- Downloads (Last 12 months)278
- Downloads (Last 6 weeks)20
Reflects downloads up to 10 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in