Attack Methods Research Articles

A hybrid DGA DefenseNet for detecting DGA domain names based on FastText and deep learning techniques

As technology rapidly advances, the Internet has become an essential part of modern life. However, public awareness of cybersecurity has not kept pace with the growing threat landscape. Cyber incidents have become more frequent, caused by factors such as malware, software vulnerabilities, and social engineering. With the evolution of malicious attack methods, there is a growing need for innovative and effective cybersecurity defense strategies. This study proposed a Domain Generation Algorithm (DGA) domains detection framework leveraging a deep learning architecture combined with FastText. Using FastText for word embedding extraction, this research developed the Hybrid DGA DefenseNet (HDDN), which integrates Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM) networks. This hybrid model extracts features from datasets and performs both detection and classification. On the Netlab360 and UMUDGA datasets, the model achieved detection accuracy of 97.70 % and 97.42 %, outperforming the Random Forest approach by 15.77 % and 16.29 %, and the C5.0 with GAN approach by 6.40 % and 7.22 %. Additionally, the model achieved classification accuracy of 93.86 % on the Netlab360 dataset and 90.09 % on the UMUDGA dataset, demonstrating the effectiveness of HDDN compared to existing methods.

A Study on Filter-Based Adversarial Image Classification Models

In view of the fact that adversarial examples can lead to high-confidence erroneous outputs of deep neural networks, this study aims to improve the safety of deep neural networks by distinguishing adversarial examples. A classification model based on filter residual network structure is used to accurately classify adversarial examples. The filter-based classification model includes residual network feature extraction and classification modules, which are iteratively optimized by an adversarial training strategy. Three mainstream adversarial attack methods are improved, and adversarial samples are generated on the Mini-ImageNet dataset. Subsequently, these samples are used to attack the EfficientNet and the filter-based classification model respectively, and the attack effects are compared. Experimental results show that the filter-based classification model has high classification accuracy when dealing with Mini-ImageNet adversarial examples. Adversarial training can effectively enhance the robustness of deep neural network models.

A Review of Adversarial Attacks and Defense Techniques in Text Processing Models

Abstract. With the rise of neural networks, the need for accuracy, robustness, and security has increased. Research has shown that small, carefully crafted perturbations, known as adversarial examples, can deceive models and lead to incorrect predictions. Current research focuses on the image domain, while there is a notable lack of exploration in the text domain, due to its discrete nature. This paper reviews adversarial attack techniques and defense strategies in text-based neural network models, aiming to improve the security and resilience of these models in practical applications. Adversarial examples, which can deceive models with small perturbations, expose vulnerabilities in their robustness and security. Techniques such as TextFooler focus on synonym replacement for generating adversarial examples, while Text Random Smooth (Text-RS) enhances defense through adaptive noise strategies. The research of search space aims to explore the feature of that, proposing search space for Imperceptibility (SSIP) and Search Space for Effectiveness (SSET) to estimate the different attack methods. Furthermore, the Chinese Variation Graph Integration (CHANGE) method improves the resilience of Chinese language models by leveraging variation graphs. These advancements highlight the importance of developing effective generation and defense mechanisms for adversarial examples in text processing models. Future research should enhance adversarial example techniques, explore efficient defense strategies, and investigate transferability to improve the security and robustness of text processing models.

IATT: Interpretation Analysis based Transferable Test Generation for Convolutional Neural Networks

Convolutional neural networks (CNNs) have been widely used in various fields. However, it is essential to perform sufficient testing to detect internal defects before deploying CNNs, especially in security-sensitive scenarios. Generating error-inducing inputs to trigger erroneous behavior is the primary way to detect CNN model defects. However, in practice, when the model under test is a black-box CNN model without accessible internal information, in some scenarios it is still necessary to generate high-quality test inputs within a limited testing budget. In such a new scenario, a potential approach is to generate transferable test inputs by analyzing the internal knowledge of other white-box CNN models similar to the model under test, and then use transferable test inputs to test the black-box CNN model. The main challenge in generating transferable test inputs is how to improve their error-inducing capability for different CNN models without changing the test oracle. We found that different CNN models make predictions based on features of similar important regions in images. Adding targeted perturbations to important regions will generate transferable test inputs with high realism. Therefore, we propose the Interpretable Analysis based Transferable Test Generation method for CNNs (IATT), which employs interpretation methods of CNN models to explain and localize important regions in test inputs, using backpropagation optimizer and perturbation mask process to add targeted perturbations to these important regions, thereby generating transferable test inputs. This process is repeated to iteratively optimize the transferability and realism of the test inputs. To verify the effectiveness of IATT, we perform experimental studies on nine deep learning models, including ResNet-50 and Vit-B/16, and commercial computer vision system Google Cloud Vision , and compared our method with four state-of-the-art baseline methods. Experimental results show that transferable test inputs generated by IATT can effectively cause black-box target models to output incorrect results. Compared to existing testing and adversarial attack methods, the average error-inducing success rate (ESR) in different testing scenarios is 18.1% \(\sim\) 52.7% greater than the baseline methods. Additionally, the test inputs generated by IATT achieve high ESR while maintaining high realism.

Safe Driving Adversarial Trajectory Can Mislead: Towards More Stealthy Adversarial Attack Against Autonomous Driving Prediction Module

The prediction module, powered by deep learning models, constitutes a fundamental component of high-level Autonomous Vehicles (AVs). Given the direct influence of the module’s prediction accuracy on AV driving behavior, ensuring its security is paramount. However, limited studies have explored the adversarial robustness of the prediction modules. Furthermore, existing methods still generate adversarial trajectories that deviate significantly from human driving behavior. These deviations can be easily identified as hazardous by AVs’ anomaly detection models and thus cannot effectively evaluate and reflect the robustness of the prediction modules. To bridge this gap, we propose a stealthy and more effective optimization-based attack method. Specifically, we reformulate the optimization problem using Lagrangian relaxation and design a Frenet-based objective function along with a distinct constraint space. We conduct extensive evaluations on 2 popular prediction models and 2 benchmark datasets. Our results show that our attack is highly effective, with over 87% attack success rates, outperforming all baseline attacks. Moreover, our attack method significantly improves the stealthiness of adversarial trajectories while guaranteeing adherence to physical constraints. Our attack is also found robust to noise from upstream modules, transferable across trajectory prediction models, and high realizability. Lastly, to verify its effectiveness in real-world applications, we conduct further simulation evaluations using a production-grade simulator. These simulations reveal that the adversarial trajectory we created could convincingly induce autonomous vehicles (AVs) to initiate hard braking.

Contextual Attribution Maps-Guided Transferable Adversarial Attack for 3D Object Detection

The study of LiDAR-based 3D object detection and its robustness under adversarial attacks has achieved great progress. However, existing adversarial attack methods mainly focus on the targeted object, which destroys the integrity of the object and makes the attack easy to perceive. In this work, we propose a novel adversarial attack against deep 3D object detection models named the contextual attribution maps-guided attack (CAMGA). Based on the combinations of subregions in the context area and their impact on the prediction results, contextual attribution maps can be generated. An attribution map exposes the influence of individual subregions in the context area on the detection results and narrows down the scope of the adversarial attack. Subsequently, perturbations are generated under the guidance of a dual loss, which is proposed to suppress the detection results and maintain visual imperception simultaneously. The experimental results proved that the CAMGA method achieved an attack success rate of over 68% on three large-scale datasets and 83% on the KITTI dataset. Meanwhile, the CAMGA has a transfer attack success rate of at least 50% against all four victim detectors, as they all overly rely on contextual information.

Identification of SQL Injection Security Vulnerabilities in Web applications Based on Binary Code Similarity

The existing SQL injection security vulnerability identification technology for Web applications has inherent flaws, which are relatively passive in defense methods, and cannot deal with increasingly changeable attack methods. In order to improve the accuracy of SQL injection security vulnerability identification of Web applications, this paper uses an improved skip-gram model to realize unsupervised learning of the embedding process, converts the information related to program functions contained in the vertices of the basic block into feature vectors to obtain the ACFG vector of the basic block, and measures the similarity of binary functions by evaluating the similarity of feature vectors. The experimental results show that the technical processing route proposed in this paper can effectively compare binary functions with different architectures and optimization levels, and use the advantages of neural networks to obtain higher accuracy and better analysis efficiency, thereby effectively improving the identification effect of SQL injection security vulnerabilities in Web applications. Therefore, it can play a certain role in the security management of subsequent Web applications.

TANGGUNG JAWAB NEGARA ATAS PELINDUNGAN OBJEK SIPIL PADA KONFLIK BERSENJATA BERDASARKAN PRINSIP PROPORSIONALITAS DALAM HUKUM HUMANITER INTERNASIONAL

In IHL, there is the principle of proportionality, namely in the case of carrying out an attack, both the means and the method, the damage that will be suffered by the civilian population or civilian objects must be proportional in nature and not excessive in relation to the acquisition of real and direct military benefits that can be predicted as a result of the attack on military targets. But in reality, in an armed conflict, there must be many victims, both from those who participate and those who do not participate in the war, and cause damage to civilian objects, either intentionally or unintentionally. Therefore, the research problem is how the act of attacking civilian objects in armed conflict based on the principle of proportionality; and how the state's responsibility for the protection of civilian objects in armed conflict based on the principle of proportionality. The results of the research concluded that (1) During armed conflict, it is still necessary to fulfill the principles and provisions in IHL, one of which is the principle of proportionality based on Article 57 paragraph (2) (a) (i to iii) of Additional Protocol I, 1977. The party that will carry out the attack has the obligation to gather information in advance before and at the time of the attack in order to know that the target to be attacked is a military target, not a civilian object. Then take all precautions in choosing the means and methods of attack, so that the damage to be suffered by the civilian population or civilian objects is proportionate and not excessive in relation to the acquisition of real and direct military advantage; (2) In the event of an attack on civilian objects in armed conflict, the attacking state must be responsible for all internationally wrongful acts, which result in damage and loss. This is stipulated in ARSIWA 2001, Article 2. In IAC, the 1907 Hague Convention IV, Article 3; the 1949 Geneva Conventions, namely Article 51 of Geneva Convention I, Article 52 of Geneva Convention II, Article 131 of Geneva Convention III, and Article 148 of Geneva Convention IV, 1949; Additional Protocol I, 1977, Article 91 apply. In NIAC, Article 3 of the Geneva Conventions 1949 applies.

Spatialspectral-Backdoor: Realizing backdoor attack for deep neural networks in brain–computer interface via EEG characteristics

In recent years, electroencephalogram (EEG) based on the brain–computer interface (BCI) systems have become increasingly advanced, with researcher using deep neural networks as tools to enhance performance. BCI systems heavily rely on EEG signals for effective human–computer interactions, and deep neural networks show excellent performance in processing and classifying these signals. Nevertheless, the vulnerability to backdoor attack is still a major problem. Backdoor attack is the injection of specially designed triggers into the model training process, which can lead to significant security issues. Therefore, in order to simulate the negative impact of backdoor attack and bridge the research gap in the field of BCI, this paper proposes a new backdoor attack method to call researcher attention to the security issues of BCI. In this paper, Spatialspectral-Backdoor is proposed to effectively attack the BCI system. The method is carefully designed to target the spectral active backdoor attack of the BCI system and includes a multi-channel preference method to select the electrode channels sensitive to the target task. Ultimately, the effectiveness of the comparison and ablation experiments is validated on the publicly available BCI competition datasets. The results show that the average attack success rate and clean sample accuracy of Spatialspectral-Backdoor in the BCI scenario are 97.12% and 85.16%, respectively, compared with other backdoor attack methods. Furthermore, by observing the infection ratio of backdoor triggers and visualization of the feature space, the proposed Spatialspectral-Backdoor outperforms other backdoor attack methods.

Backdoor Attacks and Defenses Targeting Multi-Domain AI Models: A Comprehensive Review

Since the emergence of security concerns in artificial intelligence (AI), there has been significant attention devoted to the examination of backdoor attacks. Attackers can utilize backdoor attacks to manipulate model predictions, leading to significant potential harm. However, current research on backdoor attacks and defenses in both theoretical and practical fields still has many shortcomings. To systematically analyze these shortcomings and address the lack of comprehensive reviews, this paper presents a comprehensive and systematic summary of both backdoor attacks and defenses targeting multi-domain AI models. Simultaneously, based on the design principles and shared characteristics of triggers in different domains and the implementation stages of backdoor defense, this paper proposes a new classification method for backdoor attacks and defenses. We use this method to extensively review backdoor attacks in the fields of computer vision and natural language processing, and also examine the current applications of backdoor attacks in audio recognition, video action recognition, multimodal tasks, time series tasks, generative learning, and reinforcement learning, while critically analyzing the open problems of various backdoor attack techniques and defense strategies. Finally, this paper builds upon the analysis of the current state of AI security to further explore potential future research directions for backdoor attacks and defenses.

Semantic Web-Driven Targeted Adversarial Attack on Black Box Automatic Speech Recognition Systems

The susceptibility of Deep Neural Networks (DNNs) to adversarial attacks in Automatic Speech Recognition (ASR) systems has drawn significant attention. Most work focuses on white-box methods, but the assumption of full transparency of model architecture and parameters is unrealistic in real-world scenarios. Although several targeted black-box attack methods have been proposed in recent years, due to the complexity of ASR systems, they primarily rely on query-based approaches with limited search capabilities, leading to low success rates and noticeable noise. To address this, we propose DE-gradient, a new black-box approach using differential evolution (DE), a population-based search algorithm. Inspired by Semantic Web ideas, we introduce modulation noise to preserve semantic coherence while enhancing imperceptibility. In experiments on two public datasets, DE-gradient improved attack success rates by 19% and increased the signal-to-noise ratio (SNR) of silent parts from 27 dB to 54 dB, establishing a strong baseline for evaluating black-box adversarial attacks in ASR systems.

Black-Box Adversarial Attacks Against SQL Injection Detection Model

Structured Query Language (SQL) injection attacks represent a substantial threat to the security of web applications, making the development of effective detection techniques crucial. These techniques have evolved from traditional signature-based techniques to more advanced techniques based on machine learning models. Machine learning detection models are often vulnerable to adversarial examples. Adversarial examples are deliberately crafted inputs designed to deceive models into making incorrect predictions by subtly altering the original dataset in ways that are typically imperceptible to humans. To train and test these machine learning models, datasets comprising both malicious and normal data are indispensable. However, the lack of sufficient and balanced datasets presents a significant challenge, particularly for models intended to detect SQL injection attacks. Most network traffic datasets exhibit a substantial class imbalance, with a disproportionate amount of normal traffic compared to malicious traffic, making it difficult to train effective and reliable detection models. This study addressed the shortcomings of current SQL injection detection techniques and proposed a conditional tabular generative adversarial network adversarial attack method. We evaluated the effectiveness of the generated adversarial SQL injection examples using qualitative and quantitative methods, measuring their ability to evade the detection model. A conventional neural network algorithm detection model was built and tested, and the generated adversarial examples successfully bypassed the detection model at a rate of up to 6%. The evidence demonstrated that the conditional tabular generative adversarial network successfully captures the statistical properties of real data and generates synthetic data that accurately represents the real data. This method is also expected to address the problem of insufficient and imbalanced SQL injection datasets, which could aid in training various machine learning models beyond the one used in our study.

Template Attack Based on the Weighted Quadruple Residual Network

ABSTRACTTemplate attack, as a classic side‐channel attack method, has attracted extensive attention due to its ease of deployment and small number of hyperparameters. However, traditional template attacks (TA) suffer from high preprocessing complexity and poor performance in certain masked applications. To address these issues, this paper proposes a novel template attack method leveraging a weighted quadruple residual network. Specifically, we improve the quadruple network model by assigning different weights to the negative samples selected by the model, which balances the influence of the samples on the model's feedback. Aiming at the fact that the quadruple network ignores the label characteristics of samples in the side‐channel, the distance metric in the quadruple network model is improved, which can help the model select more suitable samples. The residual network designed in this paper enables the quadruplet network model to reduce feature dimensionality, thereby facilitating more effective analysis attacks in TA. Experimental results demonstrate a notable reduction in leaked traces required by the optimized template attack on the synchronous ASCAD dataset, achieving a 62.5% decrease compared to an advanced template attack scheme. On the AES_HD dataset, the energy trace needed for a successful attack diminishes by 46.5% in comparison to the advanced template attack scheme.

Threshold Filtering for Detecting Label Inference Attacks in Vertical Federated Learning

Federated learning, as an emerging machine-learning method, has received widespread attention because it allows users to train locally during the training process and uses relevant cryptographic knowledge to safeguard the privacy of data during model aggregation. However, existing federated learning is also susceptible to privacy breaches, e.g., label inference attacks against vertical federated learning scenarios, where an adversary is able to reason about the labels of other participants based on the trained model, leading to serious privacy breaches. In this paper, we design a detection method for label inference attacks in vertical federated learning scenarios, which is able to detect the attacks based on the principles of the attacks. We design a threshold-filtering detection method based on the principle of attack to determine that the model is under attack when the threshold value is greater than a set parameter. Furthermore, we have created six threat model classifications based on different a priori conditions of the adversary to comprehensively analyze the adversary’s attacks. In addition to the detection method of attacks, the extent of attacks on the model and the effectiveness of the defense can also be evaluated. The evaluation module will experimentally measure the changes in the relevant metrics such as the accuracy of the attack, the F1 score, and the change in the accuracy after the defense method. For example, detection in the full connected neural network model assesses the attack and defense effectiveness of the model with an attack accuracy of 86.72% in the breast cancer Wisconsin dataset and an F1 score of 0.743, which is reduced to 36.36% after dispersed training. This ensures that users have an overall grasp of the extent to which the training model is under attack before deploying the model.

Steering cooperation: Adversarial attacks on prisoner’s dilemma in complex networks

This study examines the application of adversarial attack concepts to control the evolution of cooperation in the prisoner’s dilemma game in complex networks. Specifically, it proposes a simple adversarial attack method that drives players’ strategies towards a target state by adding small perturbations to social networks. The proposed method is evaluated on both model and real-world networks. Numerical simulations demonstrate that the proposed method can effectively promote cooperation with significantly smaller perturbations compared to other techniques. Additionally, this study shows that adversarial attacks can also be useful in inhibiting cooperation (promoting defection). The findings reveal that adversarial attacks on social networks can be potent tools for both promoting and inhibiting cooperation, opening new possibilities for controlling cooperative behavior in social systems while also highlighting potential risks.

Temporal characteristics-based adversarial attacks on time series forecasting

Currently, deep learning models have gained significant popularity in time series forecasting within industrial systems due to their high accuracy. However, these models exhibit vulnerability to adversarial attacks, posing significant cost and security risks. Existing attack methods for time series, primarily adapted from those developed for image classifiers, fail to effectively explore the vulnerability of time series forecasting models, since they overlook the distinct characteristics and temporal patterns inherent in time series data. To address this challenge and inspire future research aimed at improving the reliability of time series forecasting models, we identify the goals of adversarial attacks for time series forecasting and propose a novel white-box adversarial attack method named TCA. Specifically, TCA exploits gradient information from the target model, iteratively applies perturbations to the original samples, and constrains these perturbations based on the temporal characteristics. Extensive experiments on multiple DL models and real-world time series datasets reveal the shortcomings of existing attacks for time series forecasting and demonstrate the effectiveness, stealthiness, and rationality of TCA attacks in both untargeted and targeted attack scenarios.

Gradient-based sparse voxel attacks on point cloud object detection

Point cloud object detection is crucial for a variety of applications, including autonomous driving and robotics. Voxel-based representation for 3D point clouds has drawn significant attention due to their efficiency and effectiveness. Recent studies have revealed the vulnerability of deep learning models to adversarial attacks, while considerably less attention is paid to the robustness of voxel-based point cloud object detectors. Existing adversarial attacks on the point cloud data involve generating fake obstacles, removing objects or producing fake predictions. Despite the demonstrated success, these approaches have three limitations. First, manipulating point data, which was originally designed for point-based representation, is inapplicable to voxel-based representation. Second, existing works that modified points in the hold scene yield redundant perturbations. Third, the evaluation primarily performed on small-scale datasets, such as KITTI, does not scale well. To address these limitations, we propose a gradient-based sparse voxel attack (GSVA) algorithm for voxel-based 3D point cloud object detectors. Two novel frameworks, i.e., re-voxelization-based voxel attack framework and light voxel attack framework, successfully modify voxel-based representation instead of raw points. In addition to KITTI, extensive experiments on large-scale datasets including nuScenes and Waymo Open Dataset demonstrate the favorable attack performance (with mAP decrease by 86.2%∼99.5%) and the slight perturbation costs (with lowest modification rate of 3.5%) of our voxel attack method over the state-of-the-art approaches.

Digital risk: a systematic multivocal literature review

ABSTRACT Crime rates in digital spaces are rising each year, involving increasingly innovative attack methods that organizations are unable to handle, or prepare for, with their obsolete management structures. This paper presents a Multivocal Literature Review in which expertise is collected from the academia and industry on how Digital Risk is perceived, interpreted and handled. Findings from the analysis of 82 selected works, out of an initial set of 519, support the necessity of a paradigm shift in Risk Management to appropriately counter the vulnerabilities specific to digitalization and to abolish the existing siloed organizational approach in favor of a more holistic, cooperative system where individuals are empowered to make decisions and oversight is specialized and dedicated. After analyzing the definitions, compositions, domain contextualizations and organizational structurings attributed to Digital Risk in the literature, a new definition for this concept is proposed, accompanied by a conceptual map and a diagram for structural changes in organizations, to provide an understanding of the area and a contribution to the theoretical foundations of Digital Risk, so that better solutions can be pursued in the future, improving the effectiveness of Risk Management practices in modern organizations.

Analysis and Design of Efficient Authentication Techniques for Password Entry with the Qwerty Keyboard for VR Environments.

Authentication in digital security relies heavily on text-based passwords, even with other available methods like biometrics and graphical passwords. While virtual reality (VR) keyboards are typically invisible to onlookers, the presence of inconspicuous sensors, including accelerometers, gyroscopes, and barometers, poses a potential risk of unauthorized observation and recording. Traditional defense shoulder-surfing attack methods typically involve breaking apart the Qwerty layout, which destroys the user's inherent familiarity with the layout. This research addresses the need for secure password entry in VR environments while retaining the Qwerty layout. We explore three keyboard-related position alteration strategies to ensure security while mitigating the decline in user experience. These strategies involve moving the entire keyboard, cursor, and keys. Our theoretical study assesses the effectiveness of these strategies against shoulder-surfing attacks. Two user studies, employing ray-based and position-based text entry methods, respectively, evaluate the practical effectiveness of the three strategies in resisting shoulder-surfing attacks, as well as their impact on typing performance and user experience. Our findings demonstrate that the three strategies achieve shoulder-surfing attack resistance comparable to a random layout keyboard. Moreover, compared to a random layout, the two strategies involving the movement of the entire keyboard and the repositioning of keys support faster entry rates and enhanced user experience.

A Word-Level Adversarial Attack Method Based on Sememes and an Improved Quantum-Behaved Particle Swarm Optimization.

The goal of textual adversarial attack methods is to replace some words in an input text in order to make the victim model misbehave. This article proposes an effective word-level adversarial attack method based on sememes and an improved quantum-behaved particle swarm optimization (QPSO) algorithm. The sememe-based substitute method, which uses the words sharing the same sememes as the substitutes of the original words, is first employed to form the reduced search space. Then, an improved QPSO algorithm, called historical information-guided QPSO with random drift local attractor (HIQPSO-RD), is proposed to search the reduced search space for adversarial examples. The HIQPSO-RD introduces historical information into the current mean best position of the QPSO, for the purpose of improving the convergence speed of the algorithm, by enhancing its exploration ability and preventing the premature convergence of the swarm. The proposed algorithm uses the random drift local attractor technique to make a good balance between its exploration and exploitation, so that the algorithm can find a better adversarial attack example with low grammaticality and perplexity (PPL). In addition, it employs a two-stage diversity control strategy to enhance the search performance of the algorithm. Experiments on three natural language processing (NLP) datasets, with three commonly used nature language processing models as victim models, show that our method achieves higher attack success rates but lower modification rates than the state-of-the-art adversarial attack methods. Moreover, the results of human evaluations show that adversarial examples generated by our method can better maintain the semantic similarity and grammatical correctness of the original input.