Improving Robotic Vision Reduces Vulnerability to Attacks in Deep Learning Systems

In our increasingly connected world, artificial intelligence revolutionized many industries, especially in the field of self-driving vehicles. These self-driving compounds now work as smart surveillance systems, which use advanced neurological networks specialized in artificial intelligence of night vision, which has received global attention despite the large costs of it. However, spreading these artificial intelligence systems, especially in automatic vision, represents unique weaknesses that need to be addressed [1].

The networks used for vision tasks vary and often operate in hostile environments, which makes choosing the network is very important and not trivial. As the opponents continue to develop their technologies, it becomes necessary to develop strong wireless communications for nerve networks to ensure the safety and reliability of these systems.

This research aims to explore the weaknesses of robotic vision systems, with a focus on the field of hostile attacks and their impact on communication strategies with pictures. It highlights the importance of protecting these networks from hostile attacks. By using advanced techniques such as noise filler, engineering shifts, and increasing data, nervous networks can be immunized against corruption and manipulation [2].

During this study, we will primarily study neural network systems in vision applications and various hostilities. We will discuss the restrictions imposed on current defense technologies and explore the application of photo transfers as a strategic defense mechanism. In addition, we will delve into concepts such as competitive training, augmented learning, improving confidence, and birth models [3].

The necessity of the responsible development of these technologies is emphasized and published through realistic status studies that present the effectiveness and potential challenges of innovative applications. The recent developments in the field of robots and computer vision have strengthened the ability of robots to realize and interact their environments. However, this progress led to the emergence of new security challenges and weaknesses [1].

Harmful attacks, a borrowed concept of cybersecurity, pose a major threat to vision systems. These attacks use perceptions of robots, which leads to wrong interpretations and decisions that may be dangerous. For example, changing visual data entry into the self-driving car may lead to incorrect explanations for the traffic light, causing accidents.

Understanding and measuring weaknesses in robotic vision systems is very important. Researchers explore various defenses such as training in competition, strong reinforcement and detecting abnormal conditions to enhance the flexibility of these systems. This study aims to highlight the diversity and influence of hostile attacks on vision systems and discuss the latest developments in defines technologies [2-4].

By providing a detailed analysis of competitive technologies and their effects on robotic vision, this research seeks to bridge the current gaps and suggest effective solutions. The goals are to improve the safety of artificial intelligence-based vision systems and ensure their reliable operation in important applications such as self-driving and health care robots.

3.1 Building a deep-based robotic vision system

In recent years, robots have witnessed great developments, enabling robots to perform a wide range of tasks with increasing independence. One of the most important aspects of robotic systems is its ability to realize and understand the surrounding environment, which is achieved through the computer vision. Image-based robotic vision has emerged, in particular, as a major search field, allowing robots to analyze visual data and take enlightened decisions based on what they see. Deep learning, a sub-field of artificial intelligence, has revolutionized the field of computer vision by enabling machines from learning and extracting meaningful information from huge amounts of visual data. Consequently, the robotic vision systems based on deep learning are necessary for understanding and development [11-13].

3.2 Understanding deep learning to build a deep learning model

Deep learning, in essence, is a technique of machine learning inspired by the structure and function of the human brain. The training of artificial nervous networks includes multiple layers to identify complex patterns and extract them from the data entered. In the context of image-based robotic vision, deep learning models can be trained to understand and interpret visual information, enabling robots to perform tasks such as identifying things, understanding scenes and navigation.

1.png

Figure 1. Feature extraction in neural network

The first step is to build a deep-based robotic vision system in collecting and processing a variety of data in advance. This data collection should consist of classified images that cover a wide range of objects, viewers and lighting conditions that the robot is expected to face in its operational environment. Data increase techniques, such as rotation, measurement and heart, are used to increase the size and diversity of the data set [14]. Figure 1 shows the process of extracting features in the nervous network, where the ripples are used to make the features of the features.

Once the data set is prepared, the next step is to design a deep learning model structure. The CNN (CNN) has proven its high effectiveness in the tasks based on images due to their ability to capture spatial hierarchical serials and extract related features of the images. The structure usually consists of multiple convictions, followed by assembly layers to reduce spatial dimensions and fully connected layers for classification or slope tasks [15].

Deep learning model training involves presenting frequently categorized images to the network, allowing it to learn and adjust its internal parameters to reduce the difference between expected and actual ratings. This process is accomplished using optimization algorithms such as Stochastic Gradient Descent (SGD) or its variants. To prevent over-processing, techniques such as leakage and regulation are used [16]. The model is built according to generalizations as in Eq. (1).

$f(x, y)=\Sigma i \Sigma j k i, j \times x i-j$          (1)

where, f is the processed image, k is the candidate image, x is the original image, and the model is built according to generalizations such as $ai=σ(Σjwijxj+bi)$, where a is the outputs of unit i, w weights, b biased edges, σ activation function, and the model is trained using inverse propagation and associative error equation such as Eq. (2).

$\delta j=\frac{\partial E}{\partial a j}, \quad \Delta w i j=\eta \delta j x i$          (2)

where, δ is the error, E is the total error, and η is the learning rate.

After training the model, it is necessary to evaluate its performance on a separate data set to verify its health. Measurements such as accuracy, control, summons and F1 are used to assess the effectiveness of the model. If the performance is not satisfactory, the form can be accurately adjusted by adjusting the super parameters, adjusting the structure, or collecting additional data. Once it is trained and evaluated, the deep learning model can be published and integrate into the automated system, analyzing visual data in the actual time picked up by robot-installed cameras, thus providing valuable information to make decisions and control [17].

Integration may include the development of software interfaces, the creation of communication protocols, and the guarantee of compatibility with automated devices. Building a deep learning system for photo-based automatic vision is a complex and recurrent process. By harnessing the power of deep learning, robots can gain a deeper understanding of what surrounds them, enabling them to intelligence intelligently with the environment. The main steps included in this process include data collection, pre-processing, form structure design, training, improvement, evaluation, careful control, and finally, publishing and complementarity.

3.3 Functional attacks and rapid registration method (FGSM)

FGSM is a simple but strong technique for creating hostile cases. It takes advantage of the gradients of losing the form with regard to input data to determine the direction in which the input must be disturbed. FGSM algorithm is calculated and measured by a small fixed value, Epsilon (ε), to ensure accurate disorders remains [18].

To create a hostile example using FGSM, we start with a clean introduction and calculate the graduation function of the model in relation to the entry. The gradient represents the sensitivity of the model predictions of changes in input data. By annoying the inputs in the opposite direction of the gradual and expanding the scope of the disorder by ε, we can create a hostile example that misleads the form:

$x^{\prime}=x+\varepsilon \times {sign}\left(\nabla_x J(\theta, x, y)\right)$          (3)

where, x' is the hostile counterpart, ε is the maximum permissible limit of disorder. In this way, the model can be misleading by poor classification of the rivalry.

Understanding the concepts behind hostile attacks and technologies such as FGSM is very important to develop strong defines mechanisms and ensure the safety of artificial intelligence systems in various fields. With the continued development of this field, more research and cooperation are needed to address ethical considerations and develop effective counter measures against hostile attacks. Figure 2 shows the attack mechanism used in female circumcision.

Figure 2. Attack mechanism

3.4 Defending against FGSM attacks

Several defense methods were proposed against female circumcision attacks, including training on hostile examples, adding random noise during the training or reasoning process, and re-training the model on hostile examples before classification operations.

3.4.1 Training on hostile examples

The hostile examples created using FGSM are added during the training process, which helps the model to learn to resist this type of attack. This technique, known as litigation training, is one of the most effective strategies to enhance the power of deep models against rivalry attacks. The function of the amending loss of litigants appears in the Eq. (4).

$L^{\prime}\left(\theta ; x, y, x^{\prime}\right)=L(\theta ; x, y)+L\left(\theta ; x^{\prime}+r, y\right)$          (4)

where, x' represents the examples of the adversary generated, and r represents the amount of adversarial turbulence.

3.4.2 Adding random noise

This technique involves adding random noise to the data entered during training. By doing so, the model learns how to deal with annoying data and becomes more resistant to small changes in input. The process can be expressed as in Eq. (5).

$x^{\prime}=x+\varepsilon$          (5)

where, ε is a matrix representing random noise.

3.4.3 Retraining method

Retraining method involves retraining the model on both original and opposing examples to improve its ability to distinguish between them. The loss function used in this approach is shown in Eq. (6).

$L\left(\theta ; x, y, x^{\prime}, y^{\prime}\right)=L(\theta ; x, y)+L\left(\theta ; x^{\prime}, y\right)$          (6)

The aim is to improve the model's ability to distinguish between original examples and opposing counterparts, thereby minimizing the impact of disturbances on future taxonomic outcomes [19].

3.4.4 Retraining on original and adversarial data together

This approach combines the original examples x and the generated adversarial examples x' into one training set, using the joint loss function shown in Eq. (7).

$L(\theta ; D)=L(\theta ;Doriginal )+L(\theta ;Dadversarial)$          (7)

where, D original is the original dataset and D adversarial is the hostile dataset. This method ensures that the model is trained on both types of data, increasing its resistance to hostile modifications.

3.4.5 Modified loss functions (L1/L2)

Using modified loss functions, such as L1 and L2, helps improve the resistance of deep models to hostile attacks. The loss function L1 is defined in Eq. (8).

$L 1(y, \hat{y})=\sum i|y i-\hat{y} i|$          (8)

And the L2 loss function is defined in Eq. (9).

$L 2(y, \hat{y})=\frac{1}{2} \sum i(y i-\hat{y} i)^2$          (9)

These loss functions reduce the severity of gradients, making gradient-based attacks less effective [20].

The implementation of these defense mechanisms enhances the model's strength against hostile attacks, ensuring the reliability and security of AI systems in various applications.

We have implemented offensive attacks on the trained Fashion-MNIST neural network model using the Python TensorFlow library and the Keras programming interface. The attack method follows the Fast Gradient Sign Method (FGSM). For each selected test image, a distorted image is generated by calculating the image gradients relative to the model loss function, as shown in Eq. (10).

$\left[\nabla_X L=\{\partial L\} /\{\partial X\}\right]$         (10)

Figure 5 shows images created by a neural network in grayscale after being attacked by FGSM.

5.png

Figure 5. Images generated by grayscale neural network after being subjected to FGSM attack

Distorted pixel drawing shows the amount of distortion applied to each pixel in distorted images compared to the original images. By analyzing distortion values, we can understand which pixels have been modified and to what extent. This information is necessary to understand the rigidity of the model and its susceptibility to hostile attacks. Figure 6 shows the amount of distortion applied to each pixel during an FGSM attack.

We also implemented a Carlini Wagner (CW) attack, a Deep Fool attack, and a Projected Gradient Descent (PGD) attack. Figures 7-10 show images generated by the neural network in grayscale after experiencing these attacks, respectively.

6.png

Figure 6. The amount of perturbation applied to each pixel in the images when an FGSM attack

7.png

Figure 7. Images generated by a grayscale neural network after being subjected to a CW attack

8.png

Figure 8. The amount of flicker applied to each pixel in images when chemical weapons are attacked

9.png

Figure 9. Images created by a grayscale neural network after being subjected to a deep foolish attack

10.png

Figure 10. Images created by a grayscale neural network after being attacked by PGD

In order to improve the category accuracy after exposure to PGD, Deep Fool, Black Box and FSGM attacks, we have applied a set of transfers to the original image to improve the category accuracy:

1. Change the image size: We changed the size of the original image with 28×28 pixels. This helps to unify the size of the image, reduce possible noise and excessive treatment.
2. Employment of brightness and contrast: We modified the brightness of the image, increased contrast to highlight important parts of the image and improve the classification. This helps to improve the ability of the model to extract the features and patterns in the image.
3. Improving contrast: We have improved light distribution in the image using a technique called improving contrast. This expands the range of colors and improving the details in the image.
4. Victory homogeny: This removes noise and reduces excess detail in the image, thus enhancing the ability for accurate classification.
5. Image normalization: We divide the image pixel values into 255 to convert the image into [0, 1] range. This makes it easier for the model to handle the normalized data correctly and after applying these transformations, we classified the transformed image using the model trained on the Fashion MNIST dataset.

Our goal is to improve the classification accuracy by improving the image quality and highlighting the important features in it. We have carried out the processes gradually according to the Table 1, where the accuracy of the different transformations is evaluated against different types of malicious attacks (FGSM, Deep Fool, PGD, and Black Box). Accuracy is measured based on the correct classification results of the model after image transformation.

Table 1. Accuracy of the classification

From the Table 1, it can be seen that the use of different transformation operations contributes to enhancing the model's resistance to malicious attacks. Each time an additional transformation is applied, the accuracy achieved increases. For example, when using a sequential transformation of resized image, adjusted image, enhanced image, smoothed image, and normalized image, the highest level of classification accuracy among all attack types is achieved. Overall, using a sequence of transformations appears to improve the overall performance of the model against malicious attacks, as higher classification accuracy is achieved with each additional transformation. Images generated by grayscale neural network after applying transformations to the image in a PDG attack, Deep Fool attack and Black Box attack are shown in Figures 11-13, respectively.

11.png

Figure 11. Images generated by grayscale neural network after applying transformations to the image in a PDG attack

12.png

Figure 12. Images generated by grayscale neural network after applying transformations to the image in Deep Fool attack

13.png

Figure 13. Images generated by a grayscale neural network after applying transformations to the image in a Black Box attack

In this study, we explored the impact of hostile attacks on the CNN nervous network model (CNN) that was trained on the Fashion Monist data collection and evaluated the various defense mechanisms. The results we find reveals that the application of a series of photo transfers greatly enhances the elasticity of the model in the face of hostile disorders. Specifically, our results appear in accuracy with applied defenses, with increases of up to 5.35% for FGSM attacks, 3.23% for Deep Fool attacks, 4.00% for PGD attacks, 1.58% for black box attacks.

These technologies outperform traditional methods, which indicates their practical character and their effectiveness in preserving the durability of the model. However, there are restrictions, such as the difference in the effectiveness of these defenses depending on the type and intensity of the attack. Future research should focus on additional defense mechanisms, conducting detection studies to understand the contribution of each transformation better, and testing these technologies on other data collections and more advanced attacks. Practical applications for this study are important, as strong models are essential for highly reliable and security applications in areas such as independent systems, financial prediction and medical diagnosis. In general, this study highlights the importance of integrating effective defense mechanisms to protect automatic learning models from hostile threats, indicating that pre-treatment techniques can be a valuable strategy to enhance the safety of models in hostilities. Future work should continue to improve these methods and expand their scope to ensure their effectiveness in various and advanced contexts.