Search Results (376)

Adversarial examples pose severe challenges to information security, as their impacts directly extend to steganography and steganalysis technologies. This scenario, in turn, has further spurred the research and application of adversarial steganography. In response, we propose a novel adversarial embedding scheme rooted in a hybrid, partially data-driven approach. The proposed scheme first leverages an adversarial neural network (UT-GAN, Universal Transform Generative Adversarial Network) to generate stego images as a preprocessing step. Subsequently, it dynamically adjusts the cost function with the aid of a DCTR (Discrete Cosine Transform Residual)-based gradient calculator to optimize the images, ensuring that the final adversarial images can resist detection by steganalysis tools. The encoder in this scheme adopts a unique architecture, where its internal parameters are determined by a partially data-driven mechanism. This design not only enhances the capability of traditional steganography schemes to counter advanced steganalysis technologies but also effectively reduces the computational overhead during stego image generation. Full article

Maritime Autonomous Surface Ships (MASSs) raise safety and regulatory challenges that extend beyond technical reliability. This study builds on a published system-theoretic process analysis (STPA) of degraded operations that identified 92 loss scenarios. These scenarios were reformulated into a two-round Delphi survey with 20 experts from academic, industry, seafaring, and regulatory backgrounds. Panelists rated each scenario on severity, likelihood, and detectability. To avoid rank reversal, common in the Risk Priority Number, an adjusted index was applied. Initial concordance was low (Kendall’s W = 0.07), reflecting diverse perspectives. After feedback, Round 2 reached substantial agreement (W = 0.693, χ² = 3265.42, df = 91, p < 0.001) and produced a stable Top 10. High-priority items involved propulsion and machinery, communication links, sensing, integrated control, and human–machine interaction. These risks are further exacerbated by oceanographic conditions, such as strong currents, wave-induced motions, and biofouling, which can impair propulsion efficiency and sensor accuracy. This highlights the importance of environmental resilience in MASS safety. These clusters were translated into five action bundles that addressed fallback procedures, link assurance, sensor fusion, control chain verification, and alarm governance. The findings show that Remote Operator competence and oversight are central to MASS safety. At the same time, MASSs rely on artificial intelligence systems that can fail in degraded states, for example, through reduced explainability in decision making, vulnerabilities in sensor fusion, or adversarial conditions such as fog-obscured cameras. Recognizing these AI-specific challenges highlights the need for both human oversight and resilient algorithmic design. They support explicit inclusion of Remote Operators in the STCW convention, along with watchkeeping and fatigue rules for Remote Operation Centers. This study provides a consensus-based baseline for regulatory debate, while future work should extend these insights through quantitative system modeling. Full article

In open-network environments of smart buildings and urban infrastructure, abnormal traffic from security and energy monitoring systems is critical for operational safety and decision reliability. We can develop malware that exploits building automation protocols to simulate attacks involving the falsification or modification of chiller controller commands, thereby endangering the entire network infrastructure. Intrusion detection systems rely on abundant labeled abnormal traffic data to detect attack patterns, improving network system reliability. However, transmitting such data faces two major challenges: single-feature representations fail to capture comprehensive traffic features, limiting the information representation for artificial intelligence (AI)-based detection models, and unconcealed abnormal traffic is easily intercepted by firewalls or intrusion detection systems, hindering cross-departmental sharing. Existing methods struggle to balance feature integrity and transmission stealth, often sacrificing one for the other or relying on easily detectable spatial-domain steganography. To address these gaps, we propose a multi-channel imaging hiding method that reconstructs abnormal traffic into multi-channel images by combining three mappings to generate grayscale images that depict traffic state transitions, dynamic trends, and internal similarity, respectively. These images are combined to enhance feature representation and embedded into frequency-domain adversarial examples, enabling evasion of security devices while preserving traffic integrity. Experimental results demonstrate that our method captures richer information than single-representation approaches, achieving a PSNR of 44.5 dB (a 6.0 dB improvement over existing methods) and an SSIM of 0.97. The high-fidelity reconstructions enabled by these gains facilitate the secure and efficient sharing of abnormal traffic data, thereby enhancing AI-driven security in smart buildings. Full article

3D point cloud object tracking plays a critical role in fields such as autonomous driving and robotics, making the security of these models essential. Adversarial attacks are a key approach for studying the robustness and security of tracking models. However, research on the generalization of adversarial attacks for 3D point-cloud-tracking models is limited, and the frequency-domain information of the point cloud’s geometric structure is often overlooked. This frequency information is closely related to the generalization of 3D point-cloud-tracking models. To address these limitations, this paper proposes a novel adversarial method for 3D point cloud object tracking, utilizing frequency-domain attacks based on the importance of frequency bands. The attack operates in the frequency domain, targeting the low-frequency components of the point cloud within the search area. To make the attack more targeted, the paper introduces a frequency band importance saliency map, which reflects the significance of sub-frequency bands for tracking and uses this importance as attack weights to enhance the attack’s effectiveness. The proposed attack method was evaluated on mainstream 3D point-cloud-tracking models, and the adversarial examples generated from white-box attacks were transferred to other black-box tracking models. Experiments show that the proposed attack method reduces both the average success rate and precision of tracking, proving the effectiveness of the proposed adversarial attack. Furthermore, when the white-box adversarial samples were transferred to the black-box model, the tracking metrics also decreased, verifying the transferability of the attack method. Full article

In today’s digital era, cyberattacks are rapidly evolving, rendering traditional security mechanisms increasingly inadequate. The adoption of AI-based Network Intrusion Detection Systems (NIDS) has emerged as a promising solution, due to their ability to detect and respond to malicious activity using machine learning techniques. However, these systems remain vulnerable to adversarial threats, particularly data poisoning attacks, in which attackers manipulate training data to degrade model performance. In this work, we examine tree classifiers, Random Forest and Gradient Boosting, to model black box poisoning attacks. We introduce FortiNIDS, a robust framework that employs a surrogate neural network to generate adversarial perturbations that can transfer between models, leveraging the transferability of adversarial examples. In addition, we investigate defense strategies designed to improve the resilience of NIDS in smart city Internet of Things (IoT) settings. Specifically, we evaluate adversarial training and the Reject on Negative Impact (RONI) technique using the widely adopted CICDDoS2019 dataset. Our findings highlight the effectiveness of targeted defenses in improving detection accuracy and maintaining system reliability under adversarial conditions, thereby contributing to the security and privacy of smart city networks. Full article

With the increasing diversity of remote sensing modalities, multimodal image fusion improves target recognition accuracy but also introduces new security risks. Adversaries can inject small, imperceptible perturbations into a single modality to mislead model predictions, which undermines system reliability. Most existing defences are designed for single-modal inputs and face two key challenges in multimodal settings: 1. vulnerability to perturbation propagation due to static fusion strategies, and 2. the lack of collaborative mechanisms that limit overall robustness according to the weakest modality. To address these issues, we propose CAGMC-Defence, a cross-attention-guided multimodal collaborative defence framework for multimodal remote sensing. It contains two main modules. The Multimodal Feature Enhancement and Fusion (MFEF) module adopts a pseudo-Siamese network and cross-attention to decouple features, capture intermodal dependencies, and suppress perturbation propagation through weighted regulation and consistency alignment. The Multimodal Adversarial Training (MAT) module jointly generates optical and SAR adversarial examples and optimizes network parameters under consistency loss, enhancing robustness and generalization. Experiments on the WHU-OPT-SAR dataset show that CAGMC-Defence maintains stable performance under various typical adversarial attacks, such as FGSM, PGD, and MIM, retaining 85.74% overall accuracy even under the strongest white-box MIM attack ($ϵ=0.05$), significantly outperforming existing multimodal defence baselines. Full article

Adversarial attacks against deep learning models achieve high performance in white-box settings but often exhibit low transferability in black-box scenarios, especially against defended models. In this work, we propose Multi-Path Random Restart (MPRR), which initializes multiple restart points with random noise to optimize gradient updates and improve transferability. Building upon MPRR, we propose the Channel Shuffled Attack Method (CSAM), a new gradient-based attack that generates highly transferable adversarial examples via channel permutation of input images. Extensive experiments on the ImageNet dataset show that MPRR substantially improves the success rates of existing attacks (e.g., boosting FGSM, MI-FGSM, DIM, and TIM by 22.4–38.6%), and CSAM achieves average success rates 13.8–24.0% higher than state-of-the-art methods. Full article

In image classification, convolutional neural networks (CNNs) remain vulnerable to visually imperceptible perturbations, often called adversarial examples. Although various hypotheses have been proposed to explain this vulnerability, a clear cause has not been established. We hypothesize an unfair learning effect: samples are learned unevenly depending on the scale (norm) of their feature vectors in feature space. As a result, feature vectors with different scales exhibit different levels of robustness against noise. To test this hypothesis, we conduct vulnerability tests on CIFAR-10 using a standard convolutional classifier, analyzing cosine similarity between original and perturbed feature vectors, as well as error rates across scale intervals. Our experiments show that small-scale feature vectors are highly vulnerable. This is reflected in low cosine similarity and high error rates, whereas large-scale feature vectors consistently exhibit greater robustness with high cosine similarity and low error rates. These findings highlight the critical role of feature vector scale in adversarial vulnerability. Full article

Adversarial examples pose a severe threat to deep neural networks. They are crafted by applying imperceptible perturbations to benign inputs, causing the model to produce incorrect predictions. Most existing attack methods exhibit limited generalization, especially in black-box settings involving unseen models or unknown classes. To address these limitations, we propose MAAG (multi-attention adversarial generation), a novel model architecture that enhances attack generalizability and transferability. MAAG integrates channel and spatial attention to extract representative features for adversarial example generation and capture diverse decision boundaries for better transferability. A composite loss guides the generation of adversarial examples across different victim models. Extensive experiments validate the superiority of our proposed method in crafting adversarial examples for both known and unknown classes. Specifically, it surpasses existing generative methods by approximately 7.0% and 7.8% in attack success rate on known and unknown classes, respectively. Full article

Synthetic Aperture Radar (SAR) target detection models are highly vulnerable to adversarial attacks, which significantly reduce detection performance and robustness. Existing adversarial SAR target detection approaches mainly focus on the image domain and neglect the critical role of signal propagation, making it difficult to fully capture the connection between the physical space and the image domain. To address this limitation, we propose an Echo Signal-Guided Adversarial Example Generation method for SAR target detection (SAR-ESAE). The core idea is to embed adversarial perturbations into SAR echo signals and propagate them through the imaging and inverse scattering processes, thereby establishing a unified attack framework across the signal, image, and physical spaces. In this way, perturbations not only appear as pixel-level distortions in SAR images but also alter the scattering characteristics of 3D target models in the physical space. Simulation experiments in the Scenario-SAR dataset demonstrate that the SAR-ESAE method reduces the mean Average Precision of the YOLOv3 model by 23.5% and 8.6% compared to Dpatch and RaLP attacks, respectively. Additionally, it exhibits excellent attack effectiveness in both echo signal and target model attack experiments and exhibits evident adversarial transferability across detection models with different architectures, such as Faster-RCNN and FCOS. Full article

Despite the remarkable success of Deep Neural Networks (DNNs) in Remote Sensing Image (RSI) object detection, they remain vulnerable to adversarial attacks. Numerous adversarial attack methods have been proposed for RSI; however, adding a single large-scale adversarial patch to certain high-value targets, which are typically large in physical scale and irregular in shape, is both costly and inflexible. To address this issue, we propose a strategy of using multiple compact patches. This approach introduces two fundamental challenges: (1) how to optimize patch placement for a synergistic attack effect, and (2) how to retain strong adversarial potency within size-constrained mini-patches. To overcome these challenges, we introduce the Spatially Adaptive and Distillation-Enhanced Mini-Patch Attack (SDMPA) framework, which consists of two key modules: (1) an Adaptive Sensitivity-Aware Positioning (ASAP) module, which resolves the placement challenge by fusing the model’s attention maps from both an explainable and an adversarial perspective to identify optimal patch locations, and (2) a Distillation-based Mini-Patch Generation (DMPG) module, which tackles the potency challenge by leveraging knowledge distillation to transfer adversarial information from large teacher patches to small student patches. Extensive experiments on the RSOD and MAR20 datasets demonstrate that SDMPA significantly outperforms existing patch-based attack methods. For example, against YOLOv5n on the RSOD dataset, SDMPA achieves an Attack Success Rate (ASR) of 88.3% using only three small patches, surpassing other patch attack methods. Full article

Adversarial attacks in Natural Language Processing (NLP) present a critical challenge, particularly in sentiment analysis, where subtle input modifications can significantly alter model predictions. In search of more robust defenses against adversarial attacks on sentimental analysis, this research work introduces two novel defense mechanisms: the Lexicon-Based Random Substitute Model (LRSM) and the Word-Variant Voting Model (WVVM). LRSM employs randomized substitutions from a dataset-specific lexicon to generate diverse input variations, disrupting adversarial strategies by introducing unpredictability. Unlike traditional defenses requiring synonym dictionaries or precomputed semantic relationships, LRSM directly substitutes words with random lexicon alternatives, reducing overhead while maintaining robustness. Notably, LRSM not only neutralizes adversarial perturbations but occasionally surpasses the original accuracy by correcting inherent model misclassifications. Building on LRSM, WVVM integrates LRSM, Frequency-Guided Word Substitution (FGWS), and Synonym Random Substitution and Voting (RS&V) in an ensemble framework that adaptively combines their outputs. Logistic Regression (LR) emerged as the optimal ensemble configuration, leveraging its regularization parameters to balance the contributions of individual defenses. WVVM consistently outperformed standalone defenses, demonstrating superior restored accuracy and F1 scores across adversarial scenarios. The proposed defenses were evaluated on two well-known sentiment analysis benchmarks: the IMDB Sentiment Dataset and the Yelp Polarity Dataset. The IMDB dataset, comprising 50,000 labeled movie reviews, and the Yelp Polarity dataset, containing labeled business reviews, provided diverse linguistic challenges for assessing adversarial robustness. Both datasets were tested using 4000 adversarial examples generated by established attacks, including Probability Weighted Word Saliency, TextFooler, and BERT-based Adversarial Examples. WVVM and LRSM demonstrated superior performance in restoring accuracy and F1 scores across both datasets, with WVVM excelling through its ensemble learning framework. LRSM improved restored accuracy from 75.66% to 83.7% when compared to the second-best individual model, RS&V, while the Support Vector Classifier WVVM variation further improved restored accuracy to 93.17%. Logistic Regression WVVM achieved an F1 score of 86.26% compared to 76.80% for RS&V. These findings establish LRSM and WVVM as robust frameworks for defending against adversarial text attacks in sentiment analysis. Full article

Adversarial machine learning exploits the vulnerabilities of artificial intelligence (AI) models by inducing malicious distortion in input data. Starting with the effect of adversarial methods on well-known MNIST and CIFAR-10 open datasets, this paper investigates the ability of Uniform Manifold Approximation and Projection (UMAP) in providing useful representations of both legitimate and malicious images and analyzes the attacks’ behavior under various conditions. By enabling the extraction of decision rules and the ranking of important features from classifiers such as decision trees, eXplainable AI (XAI) achieves zero false positives and negatives in detection through very simple if-then rules over UMAP variables. Several examples are reported in order to highlight attacks behaviour. The data availability statement details all code and data which is publicly available to offer support to reproducibility. Full article

Novel networking paradigms such as the Internet of Things (IoT) have expanded their usage and deployment to various application domains. Consequently, unseen critical security vulnerabilities such as zero-day attacks have emerged in such deployments. The design of intrusion detection systems for IoT networks is often challenged by a lack of labeled data, which complicates the development of robust defenses against adversarial attacks. As deep learning-based network intrusion detection systems, network intrusion detection systems (NIDS) have been used to counteract emerging security vulnerabilities. However, the deep learning models used in such NIDS are vulnerable to adversarial examples. Adversarial examples are specifically engineered samples tailored to a specific deep learning model; they are developed by minimal perturbation of network packet features, and are intended to cause misclassification. Such examples can bypass NIDS or enable the rejection of regular network traffic. Research in the adversarial example detection domain has yielded several prominent methods; however, most of those methods involve computationally expensive retraining steps and require access to labeled data, which are often lacking in IoT network deployments. In this paper, we propose an unsupervised method for detecting adversarial examples that performs early detection based on the intrinsic characteristics of the deep learning model. Our proposed method requires neither computationally expensive retraining nor extra hardware overhead for implementation. For the work in this paper, we first perform adversarial example generation on a deep learning model using autoencoders. After successful adversarial example generation, we perform adversarial example detection using the intrinsic characteristics of the layers in the deep learning model. A robustness analysis of our approach reveals that an attacker can easily bypass the detection mechanism by using low-magnitude log-normal Gaussian noise. Furthermore, we also test the robustness of our detection method against further compromise by the attacker. We tested our approach on the Kitsune datasets, which are state-of-the-art datasets obtained from deployed IoT network scenarios. Our experimental results show an average adversarial example generation time of 0.337 s and an average detection rate of almost 100%. The robustness analysis of our detection method reveals a reduction of almost 100% in adversarial example detection after compromise by the attacker. Full article

Automatic Speaker Verification (ASV) systems are increasingly employed to secure access to services and facilities. However, recent advances in speech deepfake generation pose serious threats to their reliability. Modern speech synthesis models can convincingly imitate a target speaker’s voice and generate realistic synthetic audio, potentially enabling unauthorized access through ASV systems. To counter these threats, forensic detectors have been developed to distinguish between real and fake speech. Although these models achieve strong performance, their deep learning nature makes them susceptible to adversarial attacks, i.e., carefully crafted, imperceptible perturbations in the audio signal that make the model unable to classify correctly. In this paper, we explore adversarial attacks targeting speech deepfake detectors. Specifically, we analyze the effectiveness of Basic Iterative Method (BIM) attacks applied in both time and frequency domains under white- and black-box conditions. Additionally, we propose an ensemble-based attack strategy designed to simultaneously target multiple detection models. This approach generates adversarial examples with balanced effectiveness across the ensemble, enhancing transferability to unseen models. Our experimental results show that, although crafting universally transferable attacks remains challenging, it is possible to fool state-of-the-art detectors using minimal, imperceptible perturbations, highlighting the need for more robust defenses in speech deepfake detection. Full article