SecuNet

Menu
Try Now

Project Domain

Home / Project Domain

Literature Survey

Convolutional Neural Networks (CNNs) are highly effective for tasks like image classification due to their architecture, which mimics the human visual cortex. They capture spatial features through convolutional layers, reduce dimensionality with pooling layers, and perform classification with fully connected layers. Despite their capabilities, CNNs are vulnerable to attacks such as adversarial examples, poisoning, backdoor, model extraction, and membership inference attacks. These attacks exploit weaknesses in the model, leading to inaccurate predictions, model theft, and privacy breaches. Defense strategies like adversarial training, robust optimization, and ensemble models have been developed to counter these threats.

Various studies have explored the impact of specific attacks on CNNs. For instance, property inference attacks (PIAs) can expose hidden information in training datasets, while adversarial attacks like Projected Gradient Descent (PGD) can significantly lower a model’s accuracy by introducing small, targeted perturbations. Other notable attacks include the Carlini-Wagner (CW) attack, which subtly alters input data to deceive models without human detection, and the Boundary Attack, a black-box approach that generates adversarial examples through random perturbations along decision boundaries. These attacks highlight the vulnerability of CNNs across different datasets and domains, including tabular data and specialized tasks like fault diagnosis and scene classification.

To evaluate and defend against such attacks, researchers have developed advanced techniques like adversarial training and hybrid attacks. For example, the Brendel and Bethge (B&B) attack combines gradient-based and decision-based methods to generate adversarial examples with high query efficiency. The B&B attack is particularly effective across various adversarial norms, providing robust performance even with suboptimal hyperparameters. Studies have shown that blending decision-based attacks with meta-learning techniques, like the BOSH algorithm, can further enhance attack success rates. These findings underscore the need for continual advancements in both attack methods and defense mechanisms to maintain the integrity of CNNs in critical applications.

Methodology

The main goal of this project is evaluated and enhance the security of our model against above planned adversarial attacks and identify and test to make the model robust. In this regard, building a CNN model trained with the heart disease risk prediction dataset that is not only resistant to attacks but also capable of reducing the impact of these threats.

The Cardiovascular Disease Risk Prediction dataset from Kaggle was analyzed to assess the vulnerability of a CNN model trained on tabular data. Exploratory Data Analysis (EDA) revealed a significant data imbalance, which was addressed through preprocessing and the combination of Synthetic Minority Oversampling (SMOTE) and Random Under-sampling techniques to balance the dataset. This approach resulted in a highly accurate CNN model by increasing minority class representation and reducing majority class bias.

Following that four distinct attacks are assessed:

  1. Projected Gradient Descent attack
  2. Boundary Attack
  3. Carlini and Wagner attack
  4. Brendel and Bethge attack

These four attacks fall under the category of Evasion, aimed at generating adversarial examples that distort input data and lead to model misclassification. These attacks are applied during the training phase of the machine learning lifecycle, with the research closely tracking the impact on model accuracy to determine its vulnerability.

In the final stage, a testing system is developed, enabling users to upload their own models and datasets. Users can choose a specific attack to apply and observe how it affects model accuracy. If vulnerabilities are identified, the system offers recommendations for defense strategies to strengthen the model’s resilience against these attacks.

Recommendations are provided according to the attack the model is vulnerable to,

  1. Project Gradient Decent attack – Stochastic Distillation
  2. Boundary Attack- Adversarial Training, Ensemble Method
  3. Carlini and Wagner attack- Adversarial Training
  4. Brendel and Bethge attack – Defensive distillation

Research Problem

According to the above studies, it can be seen that ML models are extremely vulnerable to adversarial attacks that often mislead the model by small perturbations. Since these attacks are capable of misclassifying the outputs which causes a major impact on ML models it is extremely risky and gives security concerns in many real-world scenarios. Hence, we must evaluate these attacks on the model and how they affect the model with the concern of identification of defenses to make the model robust against the proposed attack. Unlike the common focus on image data, tabular data is crucial across various sectors like finance, telecommunication, and marketing for tasks such as fraud detection, customer churn prediction, and sales forecasting. These areas rely heavily on models trained with tabular data for making important decisions. However, there’s less attention on how these models trained with tabular data can be attacked and made vulnerable.

In this research, we focus on a critical issue that affects the healthcare industry: the security of heart disease risk prediction models. Healthcare relies heavily on heart disease prediction because it makes identification of heart disease patients possible by using information about their daily activities. Early detection of heart disease can greatly improve treatment outcomes and even save lives, which makes this knowledge extremely important. On the other hand, little study has been done to safeguard these models from these adversarial attacks.

Our research aims to fill this gap by developing and implementing defense mechanisms that can protect heart disease prediction models from potential cyber threats. This will not only enhance the security of these models but also ensure to rely on them without fear of manipulation or loss of sensitive data.

Research Objective

Main Objective

To assess and evaluate the effect of the above-mentioned adversarial attacks on our proposed model and attempt to increase model strength against the given attacks.

Sub Objectives

  • Build a neural network model with high accuracy for a Heart disease dataset.
  • Apply adversarial attacks against the model to identify changes in accuracy and evaluate the extent of the attack’s impact by comparing accuracies.
  • Identify and test defense mechanisms to make the model robust against the said attacks.
  • Build a system that allows a user to input a model that will be tested against the attack and suggest methods to make the model robust if the model is affected.

Research Gap

Considering the gap in understanding the vulnerability of tabular data to deep learning models, the authors of this research focus on exploring this novel area. There is no study that specifically addresses tabular datasets using deep learning models trained on structured (tabular) data. The authors of this study, aim to address this gap by examining the vulnerability of the Convolutional Neural Network (CNN) model trained on tabular data. The main focus of this study is to apply these four well-known adversarial attacks which are namely the Projected Gradient Descent (PGD) attack, the Carlini and Wagner attack, the Boundary attack, and Brendel & Bethge(B&B) attack that have been specifically modified for a tabular dataset trained on a CNN model. The proposed research aims to analyze the impact of these four adversarial attacks on how the model’s accuracies will differ before and after applying the attack. In addition, the authors of this research intend to explore and evaluate various defense mechanisms against the proposed attacks to enhance the model’s robustness.