Use this URL to cite or link to this record in EThOS:
Title: New quality measures for adversarial attacks with applications to secure communication
Author: Hameed, Muhammad Zaid
ISNI:       0000 0004 9357 2082
Awarding Body: Imperial College London
Current Institution: Imperial College London
Date of Award: 2020
Availability of Full Text:
Access from EThOS:
Access from Institution:
Adversarial attacks have exposed vulnerabilities of neural networks and other learning methods to small perturbations of their input and have raised concerns about the security of machine-learning-based systems. The main concern is that these vulnerabilities are present even when the perturbations introduced by the adversary are so small that the tampered data has very similar characteristics to the original. Unfortunately, which characteristics are important varies from application to application, while in the literature similarity is usually measured through some $L_p$ distance (typically with $p\in\{1,2,\infty\}$). In this thesis we show that choosing the right similarity metrics (or equivalently, a right quality metric for the tampered data) has important consequences in designing and evaluating adversarial attacks. We consider two application areas, wireless communication and image classification. First we show that adversarial attacks can actually be used to enhance security by using them against intruders in wireless communication systems. More precisely, we show that modifying the signals at the transmitter using adversarial perturbations, it is possible to prevent modulation detection by an intruder (which is an important step for intercepting or jamming the communication secretly), while at the same time the legitimate receiver can still decode the underlying message with small bit-error rate (BER). We demonstrate that using the BER as the quality metric has huge benefits compared to $L_p$-distances, as directly optimizing the perturbations to minimize the increase in the BER yields much better performance compared to using $L_p$-norm-constrained perturbations. In image classification, we propose to use the structural similarity index (SSIM) to measure the effects of adversarial perturbations applied to images. We show that using SSIM can avoid considering adversarial images of low visual quality, and can have a significant effect in assessing the performance of adversarial attack and defense schemes. As an example, we show that even state-of-the-art defense methods can be completely broken using only high-quality adversarial examples for the CIFAR-10 dataset. We also demonstrate that the use of SSIM-filtered attacks can significantly improve the performance of adversarial training of neural networks against large perturbations. Extensive experimental results are provided that demonstrate the viability of our proposed approaches, in particular the use of problem-specific quality measures, in wireless communication and image classification.
Supervisor: Gyorgy, Andras Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral