Overview

This tutorial aims to provide a comprehensive understanding of the emerging reverse engineering of deceptions (RED) [1] techniques in adversarial machine learning (ML) for trustworthy computer vision (CV). While previous research has focused on generating, detecting, and defending against machine-centric and human-centric deception, RED represents a novel paradigm that seeks to automatically uncover and index the 'fingerprints' of both types of attacks.

The primary question addressed in this tutorial is: Given a machine or human-centric attack, can we reverse-engineer the adversary's knowledge, such as attack intention, method, and details of generating models, beyond ordinary adversarial detection/defense techniques?

With the increasing importance of security and trustworthiness in CV models, the tutorial aims to offer new insights into adversarial ML by exploring how one can reverse engineer threat models from adversarial instances, such as adversarial examples and generative model synthesized images. The ultimate goal is to demystify the adversarial models and ensure the safe and reliable use of CV technologies.

Content

Speakers

Acknowledgement

References

[1] Defense Advanced Research Projects Agency (DARPA). Reverse Engineering of Deceptions. https://www.darpa.mil/program/reverse-engineering-of-deceptions.

[2] Y. Gong, Y. Yao, Y. Li, Y. Zhang, X. Liu, X. Lin, and S. Liu. Reverse engineering of imperceptible adversarial image perturbations. ICLR 2022.

[3] Y. Yao, J. Liu, Y. Gong, X. Liu, Y. Wang, X. Lin, and S. Liu. Can adversarial examples be parsed to reveal victim model information? arXiv 2023.

[4] V. Asnani, X. Yin, T. Hassner, and X. Liu. Reverse engineering of generative models: Inferring model hyperparameters from generated images. arXiv 2021.

[5] D. Nicholson, and V. Emanuele. Reverse engineering adversarial attacks with fingerprints from adversarial examples. arXiv 2023.

[6] M. Goebel, J. Bunk, S. Chattopadhyay, L. Nataraj, S. Chandrasekaran, and B. Manjunath. Attribution of gradient based adversarial attacks for reverse engineering of deceptions. arXiv 2021.

[7] N. Yu, L. Davis, and M. Fritz. Attributing fake images to gans: Learning and analyzing gan fingerprints. CVPR 2019.

[8] S. Wang, O. Wang, R. Zhang, A. Owens, and A. Efros. Cnn-generated images are surprisingly easy to spot... for now. CVPR 2020.

[9] Z. Guo, K. Han, Y. Ge, W. Ji, and Y. Li. Scalable attribution of adversarial attacks via multi-task learning. arXiv 2023.

[10] P. Maini, X. Chen, B. Li, and D. Song. Perturbation type categorization for multiple $\ell_p$ bounded adversarial robustness. UAI 2022.

[11] M. Zhou and V. M. Patel. On trace of pgd-like adversarial attacks. arXiv 2022.

[12] H. Souri, P. Khorramshahi, C. P. Lau, M. Goldblum, and R. Chellappa. Identification of attack-specific signatures in adversarial examples. arXiv 2021.

[13] D. Thaker, P. Giampouras, and R. Vidal. Reverse engineering ℓp attacks: A block-sparse optimization approach with recovery guarantees. ICML 2022.

[14] J. Frank, T. Eisenhofer, L. Schönherr, A. Fischer, D. Kolossa, and T. Holz. Leveraging frequency analysis for deep fake image recognition. ICML 2020.

[15] L. Guarnera, O. Giudice, and S. Battiato. Deepfake detection by analyzing convolutional traces. CVPR 2020.

[16] F. Tramer, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Stealing machine learning models via prediction APIs. USENIXSS 2016.

[17] S. J. Oh, M. Augustin, M. Fritz, and B. Schiele. Towards reverse engineering black-box neural networks. ICLR 2018.

[18] W. Hua, Z. Zhang, and G. E. Suh. Reverse engineering convolutional neural networks through side-channel information leaks. DAC 2018.

[19] L. Batina, S. Bhasin, D. Jap, and S. Picek. CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. USENIXSS 2019.

[20] S. Joshi, S. Kataria, J. Villalba, N. Dehak. Advest: Adversarial perturbation estimation to classify and detect adversarial attacks against speaker identification. arXiv 2022.