Mixed and constrained input mutation for effective fuzzing of deep learning systems

Leo Hyun Park; Jaeuk Kim; Jaewoo Park; Taekyoung Kwon

doi:10.1016/j.ins.2022.10.079

Mixed and constrained input mutation for effective fuzzing of deep learning systems

Leo Hyun Park, Jaeuk Kim, Jaewoo Park, Taekyoung Kwon

Graduate School of Information

Research output: Contribution to journal › Article › peer-review

Abstract

Adversarial examples cause misclassifications of deep learning (DL) systems. It isn't easy to debug misclassifications due to the intrinsic complexity of DL architecture. Thus, applying coverage-guided fuzzing, a widely used technique to find crashes in complex software, is promising. However, mutation strategies of DL fuzzers, such as DeepHunter, have a limitation. They restrict multiple transformations and so penalize generating diverse inputs. Otherwise, they cause significant distortion, rendering invalid inputs, such as unrecognizable or ambiguous to humans. However, multiple transformations are critical in mutation-based fuzzing. To address this problem, we propose the mixed and constrained mutation (MCM) for DL fuzzers. Human perception-based constraints of MCM avoid significant distortion in a single transformation and the aggregation of multiple transformations. We verify transformation parameters through a survey with 15 participants on each MNIST, STL-10, and ImageNet dataset to implement such constraints, followed by statistical tests. MCM returns valid inputs in almost every fuzzing iteration. Furthermore, MCM improved the fuzzing performance on various DL architectures on MNIST, STL-10, and ImageNet compared to DeepHunter: MCM discovered 17.6% more seeds showing new coverage and 132% more adversarial examples on average. These adversarial examples correspond to more than double the incorrect classes for each original image than DeepHunter.

Original language	English
Pages (from-to)	497-517
Number of pages	21
Journal	Information sciences
Volume	614
DOIs	https://doi.org/10.1016/j.ins.2022.10.079
Publication status	Published - 2022 Oct

Bibliographical note

Funding Information:
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2019R1A2C1088802) and this research was supported by Institute for Information & communications Technology Planning & Evaluation(IITP) grant funded by the Korea government (MSIT) (No.2018–0-00513, Machine Learning Based Automation of Vulnerability Detection on Unix-based Kernel). The authors thank Prof. Lei Ma for sharing his DeepHunter code to foster this study.

Publisher Copyright:
© 2022 Elsevier Inc.

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Software
Control and Systems Engineering
Computer Science Applications
Information Systems and Management
Artificial Intelligence

Access to Document

10.1016/j.ins.2022.10.079

Cite this

@article{e12434b0b6c14159ad9d209d1e31924c,

title = "Mixed and constrained input mutation for effective fuzzing of deep learning systems",

abstract = "Adversarial examples cause misclassifications of deep learning (DL) systems. It isn't easy to debug misclassifications due to the intrinsic complexity of DL architecture. Thus, applying coverage-guided fuzzing, a widely used technique to find crashes in complex software, is promising. However, mutation strategies of DL fuzzers, such as DeepHunter, have a limitation. They restrict multiple transformations and so penalize generating diverse inputs. Otherwise, they cause significant distortion, rendering invalid inputs, such as unrecognizable or ambiguous to humans. However, multiple transformations are critical in mutation-based fuzzing. To address this problem, we propose the mixed and constrained mutation (MCM) for DL fuzzers. Human perception-based constraints of MCM avoid significant distortion in a single transformation and the aggregation of multiple transformations. We verify transformation parameters through a survey with 15 participants on each MNIST, STL-10, and ImageNet dataset to implement such constraints, followed by statistical tests. MCM returns valid inputs in almost every fuzzing iteration. Furthermore, MCM improved the fuzzing performance on various DL architectures on MNIST, STL-10, and ImageNet compared to DeepHunter: MCM discovered 17.6% more seeds showing new coverage and 132% more adversarial examples on average. These adversarial examples correspond to more than double the incorrect classes for each original image than DeepHunter.",

author = "Park, {Leo Hyun} and Jaeuk Kim and Jaewoo Park and Taekyoung Kwon",

note = "Funding Information: This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2019R1A2C1088802) and this research was supported by Institute for Information & communications Technology Planning & Evaluation(IITP) grant funded by the Korea government (MSIT) (No.2018–0-00513, Machine Learning Based Automation of Vulnerability Detection on Unix-based Kernel). The authors thank Prof. Lei Ma for sharing his DeepHunter code to foster this study. Publisher Copyright: {\textcopyright} 2022 Elsevier Inc.",

year = "2022",

month = oct,

doi = "10.1016/j.ins.2022.10.079",

language = "English",

volume = "614",

pages = "497--517",

journal = "Information Sciences",

issn = "0020-0255",

publisher = "Elsevier Inc.",

}

TY - JOUR

T1 - Mixed and constrained input mutation for effective fuzzing of deep learning systems

AU - Park, Leo Hyun

AU - Kim, Jaeuk

AU - Park, Jaewoo

AU - Kwon, Taekyoung

N1 - Funding Information: This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2019R1A2C1088802) and this research was supported by Institute for Information & communications Technology Planning & Evaluation(IITP) grant funded by the Korea government (MSIT) (No.2018–0-00513, Machine Learning Based Automation of Vulnerability Detection on Unix-based Kernel). The authors thank Prof. Lei Ma for sharing his DeepHunter code to foster this study. Publisher Copyright: © 2022 Elsevier Inc.

PY - 2022/10

Y1 - 2022/10

N2 - Adversarial examples cause misclassifications of deep learning (DL) systems. It isn't easy to debug misclassifications due to the intrinsic complexity of DL architecture. Thus, applying coverage-guided fuzzing, a widely used technique to find crashes in complex software, is promising. However, mutation strategies of DL fuzzers, such as DeepHunter, have a limitation. They restrict multiple transformations and so penalize generating diverse inputs. Otherwise, they cause significant distortion, rendering invalid inputs, such as unrecognizable or ambiguous to humans. However, multiple transformations are critical in mutation-based fuzzing. To address this problem, we propose the mixed and constrained mutation (MCM) for DL fuzzers. Human perception-based constraints of MCM avoid significant distortion in a single transformation and the aggregation of multiple transformations. We verify transformation parameters through a survey with 15 participants on each MNIST, STL-10, and ImageNet dataset to implement such constraints, followed by statistical tests. MCM returns valid inputs in almost every fuzzing iteration. Furthermore, MCM improved the fuzzing performance on various DL architectures on MNIST, STL-10, and ImageNet compared to DeepHunter: MCM discovered 17.6% more seeds showing new coverage and 132% more adversarial examples on average. These adversarial examples correspond to more than double the incorrect classes for each original image than DeepHunter.

AB - Adversarial examples cause misclassifications of deep learning (DL) systems. It isn't easy to debug misclassifications due to the intrinsic complexity of DL architecture. Thus, applying coverage-guided fuzzing, a widely used technique to find crashes in complex software, is promising. However, mutation strategies of DL fuzzers, such as DeepHunter, have a limitation. They restrict multiple transformations and so penalize generating diverse inputs. Otherwise, they cause significant distortion, rendering invalid inputs, such as unrecognizable or ambiguous to humans. However, multiple transformations are critical in mutation-based fuzzing. To address this problem, we propose the mixed and constrained mutation (MCM) for DL fuzzers. Human perception-based constraints of MCM avoid significant distortion in a single transformation and the aggregation of multiple transformations. We verify transformation parameters through a survey with 15 participants on each MNIST, STL-10, and ImageNet dataset to implement such constraints, followed by statistical tests. MCM returns valid inputs in almost every fuzzing iteration. Furthermore, MCM improved the fuzzing performance on various DL architectures on MNIST, STL-10, and ImageNet compared to DeepHunter: MCM discovered 17.6% more seeds showing new coverage and 132% more adversarial examples on average. These adversarial examples correspond to more than double the incorrect classes for each original image than DeepHunter.

UR - http://www.scopus.com/inward/record.url?scp=85140979407&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85140979407&partnerID=8YFLogxK

U2 - 10.1016/j.ins.2022.10.079

DO - 10.1016/j.ins.2022.10.079

M3 - Article

AN - SCOPUS:85140979407

SN - 0020-0255

VL - 614

SP - 497

EP - 517

JO - Information Sciences

JF - Information Sciences

ER -

Mixed and constrained input mutation for effective fuzzing of deep learning systems

Abstract

Bibliographical note

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this