www.intechopen.com
Open in
urlscan Pro
35.171.73.43
Public Scan
Submitted URL: https://m.intechopen.com/ss/c/ueys4rkKc8QEgKxfLtyTg_cz7Y-Y_9M23J1yDq8_LCWPlhcaByPcpl2Duyobb4-64hmYPCUerGgyOVcKzMfLXw/400/...
Effective URL: https://www.intechopen.com/journals/1/articles/189
Submission: On September 30 via manual from CA — Scanned from CA
Effective URL: https://www.intechopen.com/journals/1/articles/189
Submission: On September 30 via manual from CA — Scanned from CA
Form analysis 6 forms found in the DOM
<form>
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Necessary</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Preferences</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistics</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><span
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</span></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked" aria-label="placeholder"
data-uw-placeholder-aria-label="placeholder" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonPreferences"
checked="checked" tabindex="0" aria-label="placeholder" data-uw-placeholder-aria-label="placeholder" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonStatistics"
checked="checked" tabindex="0" aria-label="placeholder" data-uw-placeholder-aria-label="placeholder" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked"
tabindex="0" aria-label="placeholder" data-uw-placeholder-aria-label="placeholder" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton" aria-label="placeholder"
data-uw-placeholder-aria-label="placeholder" data-uw-rm-form="nfx"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>Text Content
Skip to main contentEnable accessibility for visually impairedOpen the
accessibility menu Open the Accessible Navigation Menu
Powered by Cookiebot
* Consent
* Details
* [#IABV2SETTINGS#]
* About
THIS WEBSITE USES COOKIES
We use cookies to personalise content and ads, to provide social media features
and to analyse our traffic. We also share information about your use of our site
with our social media, advertising and analytics partners who may combine it
with other information that you’ve provided to them or that they’ve collected
from your use of their services.
Consent Selection
Necessary
Preferences
Statistics
Marketing
Show details
Necessary 17
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
* Beeswax
1
Learn more about this provider
checkForPermissionDetermines whether the user has accepted the cookie consent
box.
Expiry: 1 dayType: HTTP
* Google
2
Learn more about this provider
test_cookieUsed to check if the user's browser supports cookies.
Expiry: 1 dayType: HTTP
rc::eThis cookie is used to distinguish between humans and bots.
Expiry: SessionType: HTML
* RTB House
5
Learn more about this provider
tsThis cookie is necessary for the PayPal login-function on the website.
Expiry: 1 yearType: HTTP
u [x4]Necessary for the sign-up function on the website.
Expiry: 1 yearType: HTTP
* cdn.userway.org
1
uw-icon-localesUsed to keep settings on the website's accessibility widget.
This helps people with e.g. vision disabilities to properly navigate the
site.
Expiry: PersistentType: HTML
* cdnintech.com
1
CONSENTUsed to detect if the visitor has accepted the marketing category in
the cookie banner. This cookie is necessary for GDPR-compliance of the
website.
Expiry: 2 yearsType: HTTP
* contextweb.com
sonobi.com
2
INGRESSCOOKIE [x2]This cookie is used to distinguish between humans and bots.
Expiry: SessionType: HTTP
* creative-serving.com
mfadsrvr.com
sportradarserving.com
bidswitch.net
4
c [x4]Used in order to detect spam and improve the website's security.
Expiry: 1 yearType: HTTP
* www.intechopen.com
1
CookieConsentStores the user's cookie consent state for the current domain
Expiry: 1 yearType: HTTP
Preferences 3
Preference cookies enable a website to remember information that changes the way
the website behaves or looks, like your preferred language or the region that
you are in.
* www.intechopen.com
1
jwplayerLocalIdUsed to determine the optimal video quality based on the
visitor's device and network settings.
Expiry: PersistentType: HTML
* www.intechopen.com
cdnintech.com
2
intercom.intercom-state-# [x2]Remembers whether the user has minimized or
closed chat-box or pop-up messages on the website.
Expiry: PersistentType: HTML
Statistics 29
Statistic cookies help website owners to understand how visitors interact with
websites by collecting and reporting information anonymously.
* Casale Media
1
Learn more about this provider
crumThis cookie is used to identify the frequency of visits and how long the
visitor is on the website.
Expiry: SessionType: Pixel
* Google
6
Learn more about this provider
collectUsed to send data to Google Analytics about the visitor's device and
behavior. Tracks the visitor across devices and marketing channels.
Expiry: SessionType: Pixel
_gaRegisters a unique ID that is used to generate statistical data on how the
visitor uses the website.
Expiry: 2 yearsType: HTTP
_ga_#Used by Google Analytics to collect data on the number of times a user
has visited the website as well as dates for the first and most recent visit.
Expiry: 2 yearsType: HTTP
_gatUsed by Google Analytics to throttle request rate
Expiry: 1 dayType: HTTP
_gidRegisters a unique ID that is used to generate statistical data on how
the visitor uses the website.
Expiry: 1 dayType: HTTP
tdRegisters statistical data on users' behaviour on the website. Used for
internal analytics by the website operator.
Expiry: SessionType: Pixel
* Hotjar
6
Learn more about this provider
_hjAbsoluteSessionInProgressThis cookie is used to count how many times a
website has been visited by different visitors - this is done by assigning
the visitor an ID, so the visitor does not get registered twice.
Expiry: 1 dayType: HTTP
_hjFirstSeenThis cookie is used to determine if the visitor has visited the
website before, or if it is a new visitor on the website.
Expiry: 1 dayType: HTTP
_hjIncludedInSessionSample_#Collects statistics on the visitor's visits to
the website, such as the number of visits, average time spent on the website
and what pages have been read.
Expiry: 1 dayType: HTTP
_hjSession_#Collects statistics on the visitor's visits to the website, such
as the number of visits, average time spent on the website and what pages
have been read.
Expiry: 1 dayType: HTTP
_hjSessionUser_#Collects statistics on the visitor's visits to the website,
such as the number of visits, average time spent on the website and what
pages have been read.
Expiry: 1 yearType: HTTP
_hjTLDTestRegisters statistical data on users' behaviour on the website. Used
for internal analytics by the website operator.
Expiry: SessionType: HTTP
* Lotame
1
Learn more about this provider
lotame_domain_checkContains an visitor ID. This is used to identify the
visitor upon re-entry to the website.
Expiry: 1 dayType: HTTP
* Media.net
1
Learn more about this provider
cksync.phpThis cookie is used to determine if cookie data synchronization is
enabled or disabled – cookie data synchronization is used to synchronize and
gather visitor data on several domains.
Expiry: SessionType: Pixel
* Quantcast
1
Learn more about this provider
dCollects anonymous data on the user's visits to the website, such as the
number of visits, average time spent on the website and what pages have been
loaded with the purpose of generating reports for optimising the website
content.
Expiry: 3 monthsType: HTTP
* VWO
11
Learn more about this provider
_vis_opt_exp_#_combiUsed by Visual Website Optimizer to ensure that the same
user interface variant is displayed for each visit, if the user is
participating in a design experiment.
Expiry: SessionType: HTTP
_vis_opt_sUsed by Visual Website Optimizer to determine if the visitor is
participating in a design experiment.
Expiry: 100 daysType: HTTP
_vis_opt_test_cookieUsed to check if the user's browser supports cookies.
Expiry: SessionType: HTTP
_vwo_dsCollects data on the user's visits to the website, such as the number
of visits, average time spent on the website and what pages have been loaded
with the purpose of generating reports for optimising the website content.
Expiry: 2 monthsType: HTTP
_vwo_referrerRegisters data on visitors' website-behaviour. This is used for
internal analysis and website optimization.
Expiry: SessionType: HTTP
_vwo_snCollects statistics on the visitor's visits to the website, such as
the number of visits, average time spent on the website and what pages have
been read.
Expiry: 1 dayType: HTTP
_vwo_uuidUsed by Visual Website Optimizer to ensure that the same user
interface variant is displayed for each visit, if the user is participating
in a design experiment.
Expiry: 10 yearsType: HTTP
_vwo_uuid_v2This cookie is set to make split-tests on the website, which
optimizes the website's relevance towards the visitor – the cookie can also
be set to improve the visitor's experience on a website.
Expiry: 1 yearType: HTTP
analyzeThis cookie is used by the website’s operator in context with
multi-variate testing. This is a tool used to combine or change content on
the website. This allows the website to find the best variation/edition of
the site.
Expiry: SessionType: Pixel
v.gifThis cookie is set to make split-tests on the website, which optimizes
the website's relevance towards the visitor – the cookie can also be set to
improve the visitor's experience on a website.
Expiry: SessionType: Pixel
vwoSnThis cookie is set to make split-tests on the website, which optimizes
the website's relevance towards the visitor – the cookie can also be set to
improve the visitor's experience on a website.
Expiry: PersistentType: HTML
* Yandex
1
Learn more about this provider
yandexuidRegisters data on visitors' website-behaviour. This is used for
internal analysis and website optimization.
Expiry: 400 daysType: HTTP
* www.intechopen.com
1
pdfjs.historyRemembers which and how many PDF-documents have been downloaded
or read by the user. This is used for internal statistics.
Expiry: PersistentType: HTML
Marketing 138
Marketing cookies are used to track visitors across websites. The intention is
to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
* Acuity
2
Learn more about this provider
auidRegisters a unique user ID that recognises the user's browser when
visiting websites that show ads from the same ad network. The cookie is used
to collect statistical data of the visitor's movements and to generate
targeted ads.
Expiry: 1 yearType: HTTP
aumCollects data on user behaviour and interaction in order to optimize the
website and make advertisement on the website more relevant.
Expiry: 1 yearType: HTTP
* Adform
1
Learn more about this provider
CUsed to check if the user's browser supports cookies.
Expiry: 1 monthType: HTTP
* Adgear
1
Learn more about this provider
bridgePresents the user with relevant content and advertisement. The service
is provided by third-party advertisement hubs, which facilitate real-time
bidding for advertisers.
Expiry: SessionType: Pixel
* Admixer
1
Learn more about this provider
am-uidThis cookie is used to identify the visitor and optimize ad-relevance
by collecting visitor data from multiple websites – this exchange of visitor
data is normally provided by a third-party data-center or ad-exchange.
Expiry: 3 monthsType: HTTP
* Adobe Inc.
1
Learn more about this provider
everest_g_v2Used for targeted ads and to document efficacy of each individual
ad.
Expiry: 1 yearType: HTTP
* Adotmob
1
Learn more about this provider
partnersPresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: 13 monthsType: HTTP
* Adroll
1
Learn more about this provider
cm/index/tp_outSets a unique ID for the visitor, that allows third party
advertisers to target the visitor with relevant advertisement. This pairing
service is provided by third party advertisement hubs, which facilitates
real-time bidding for advertisers.
Expiry: SessionType: Pixel
* AntVoice
2
Learn more about this provider
av-midPresents the user with relevant content and advertisement. The service
is provided by third-party advertisement hubs, which facilitate real-time
bidding for advertisers.
Expiry: 400 daysType: HTTP
av-tp-bswPresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: 2 daysType: HTTP
* Appnexus
2
Learn more about this provider
icuCollects data on visitor behaviour from multiple websites, in order to
present more relevant advertisement - This also allows the website to limit
the number of times that they are shown the same advertisement.
Expiry: 3 monthsType: HTTP
uuid2Registers a unique ID that identifies a returning user's device. The ID
is used for targeted ads.
Expiry: 3 monthsType: HTTP
* Beeswax
2
Learn more about this provider
bitoSets a unique ID for the visitor, that allows third party advertisers to
target the visitor with relevant advertisement. This pairing service is
provided by third party advertisement hubs, which facilitates real-time
bidding for advertisers.
Expiry: 13 monthsType: HTTP
bitoIsSecurePresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: 13 monthsType: HTTP
* Bidswitch
3
Learn more about this provider
bsw_origin_initCollects visitor data related to the user's visits to the
website, such as the number of visits, average time spent on the website and
what pages have been loaded, with the purpose of displaying targeted ads.
Expiry: SessionType: HTTP
custom_dataCollects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Expiry: SessionType: HTTP
syncCollects data on user behaviour and interaction in order to optimize the
website and make advertisement on the website more relevant.
Expiry: SessionType: Pixel
* Brand-display.com
1
Learn more about this provider
_knxq_Determines when the visitor last visited the different subpages on the
website, as well as sets a timestamp for when the session started.
Expiry: 400 daysType: HTTP
* Casale Media
3
Learn more about this provider
CMIDCollects visitor data related to the user's visits to the website, such
as the number of visits, average time spent on the website and what pages
have been loaded, with the purpose of displaying targeted ads.
Expiry: 1 yearType: HTTP
CMPROCollects data on visitor behaviour from multiple websites, in order to
present more relevant advertisement - This also allows the website to limit
the number of times that they are shown the same advertisement.
Expiry: 3 monthsType: HTTP
CMPSCollects visitor data related to the user's visits to the website, such
as the number of visits, average time spent on the website and what pages
have been loaded, with the purpose of displaying targeted ads.
Expiry: 3 monthsType: HTTP
* Crimtan
1
Learn more about this provider
cid_#Collects unidentifiable data that is sent to an unidentifiable source.
The source's identity is kept secret by the company, Whois Privacy Protection
Service, Inc.
Expiry: 1 yearType: HTTP
* Criteo
5
Learn more about this provider
cto_bundlePresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: 1 yearType: HTTP
cto_pub_test_tld [x2]Used to track visitors on multiple websites, in order to
present relevant advertisement based on the visitor's preferences.
Expiry: 1 dayType: HTTP
cto_writeable [x2]This cookie is set by the audience manager of a website in
order to determine if any additional third-party cookies can be set in the
visitor’s browser – third-party cookies are used to gather information or
track visitor behavior on multiple websites. Third-party cookies are set by a
third-party website or company.
Expiry: 1 dayType: HTTP
* Dataxu
4
Learn more about this provider
matchbidswitchSets a unique ID for the visitor, that allows third party
advertisers to target the visitor with relevant advertisement. This pairing
service is provided by third party advertisement hubs, which facilitates
real-time bidding for advertisers.
Expiry: 30 daysType: HTTP
matchcasaleCollects data on the user's visits to the website, such as what
pages have been loaded. The registered data is used for targeted ads.
Expiry: 30 daysType: HTTP
matchmedianetPending
Expiry: 30 daysType: HTTP
wfivefivecCollects data on the user's visits to the website, such as what
pages have been loaded. The registered data is used for targeted ads.
Expiry: 13 monthsType: HTTP
* Exponential
1
Learn more about this provider
ANON_IDCollects data on user visits to the website, such as what pages have
been accessed. The registered data is used to categorise the user's interest
and demographic profiles in terms of resales for targeted marketing.
Expiry: 3 monthsType: HTTP
* Google
26
Learn more about this provider
track/cmf/googlePresents the user with relevant content and advertisement.
The service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: SessionType: Pixel
optoutIdentifies if the visitor has deselected any cookies, trackers or other
audience targeting tools.
Expiry: SessionType: HTTP
_cc_id_update_tsRegisters data on visitors from multiple visits and on
multiple websites. This information is used to measure the efficiency of
advertisement on websites.
Expiry: PersistentType: HTML
panoramaId_expiryRegisters data on visitors from multiple visits and on
multiple websites. This information is used to measure the efficiency of
advertisement on websites.
Expiry: PersistentType: HTML
panoramaId_expiry_expContains the expiry-date for the cookie with
corresponding name.
Expiry: PersistentType: HTML
_GESPSK-33across.comPending
Expiry: PersistentType: HTML
_GESPSK-crwdcntrl.netThis cookie registers data on the visitor. The
information is used to optimize advertisement relevance.
Expiry: PersistentType: HTML
_GESPSK-esp.criteo.comCollects data on user behaviour and interaction in
order to optimize the website and make advertisement on the website more
relevant.
Expiry: PersistentType: HTML
_GESPSK-id5-sync.comPresents the user with relevant content and
advertisement. The service is provided by third-party advertisement hubs,
which facilitate real-time bidding for advertisers.
Expiry: PersistentType: HTML
_GESPSK-openxPresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: PersistentType: HTML
_GESPSK-pubcid.orgThis cookie registers data on the visitor. The information
is used to optimize advertisement relevance.
Expiry: PersistentType: HTML
_GESPSK-rtbhouseRegisters user behaviour and navigation on the website, and
any interaction with active campaigns. This is used for optimizing
advertisement and for efficient retargeting.
Expiry: PersistentType: HTML
_GESPSK-uidapi.comUsed in context with pop-up advertisement-content on the
website. The cookie determines which ads the visitor should be shown, as well
as ensuring that the same ads does not get shown more than intended.
Expiry: PersistentType: HTML
DSIDUsed by Google DoubleClick for re-targeting, optimisation, reporting and
attribution of online adverts.
Expiry: 1 dayType: HTTP
IDEUsed by Google DoubleClick to register and report the website user's
actions after viewing or clicking one of the advertiser's ads with the
purpose of measuring the efficacy of an ad and to present targeted ads to the
user.
Expiry: 400 daysType: HTTP
rc::hPending
Expiry: SessionType: HTML
ar_debugPending
Expiry: 3 monthsType: HTTP
pagead/gen_204Collects data on visitor behaviour from multiple websites, in
order to present more relevant advertisement - This also allows the website
to limit the number of times that they are shown the same advertisement.
Expiry: SessionType: Pixel
pcs/activeviewUsed by DoubleClick to determine whether website advertisement
has been properly displayed - This is done to make their marketing efforts
more efficient.
Expiry: SessionType: Pixel
__gadsUsed to register what ads have been displayed to the user.
Expiry: 1 yearType: HTTP
__gpiCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: 1 yearType: HTTP
cto_bundlePresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: PersistentType: HTML
ANON_ID_oldCollects data about the user's visit to the site, such as the
number of returning visits and which pages are read. The purpose is to
deliver targeted ads.
Expiry: 3 monthsType: HTTP
z/i.matchPresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: SessionType: Pixel
r/cms/id/0/ddc/1/pid/18/uid/Presents the user with relevant content and
advertisement. The service is provided by third-party advertisement hubs,
which facilitate real-time bidding for advertisers.
Expiry: SessionType: Pixel
GoogleAdServingTestUsed to register what ads have been displayed to the user.
Expiry: SessionType: HTTP
* Lotame
2
Learn more about this provider
panoramaIdRegisters data on visitors from multiple visits and on multiple
websites. This information is used to measure the efficiency of advertisement
on websites.
Expiry: SessionType: HTTP
panoramaId_expiryRegisters data on visitors from multiple visits and on
multiple websites. This information is used to measure the efficiency of
advertisement on websites.
Expiry: SessionType: HTTP
* MED Snippets
5
Learn more about this provider
_sessCollects information on user preferences and/or interaction with
web-campaign content - This is used on CRM-campaign-platform used by website
owners for promoting events or products.
Expiry: 1 dayType: HTTP
dmd-ahkCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: 1 dayType: HTTP
dmd-sidCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: 1 dayType: HTTP
dmd-vidCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: 1 dayType: HTTP
s-DMDSESSIDCollects data on the user across websites - This data is used to
make advertisement more relevant.
Expiry: SessionType: HTTP
* MediMath
1
Learn more about this provider
mt_mopCollects data on the user's visits to the website, such as what pages
have been loaded. The registered data is used for targeted ads.
Expiry: 30 daysType: HTTP
* Media.net
3
Learn more about this provider
data-cPresents the user with relevant content and advertisement. The service
is provided by third-party advertisement hubs, which facilitate real-time
bidding for advertisers.
Expiry: 30 daysType: HTTP
data-c-tsCollects data on the user across websites - This data is used to
make advertisement more relevant.
Expiry: 30 daysType: HTTP
data-xuPending
Expiry: 1 yearType: HTTP
* Openx
1
Learn more about this provider
iRegisters anonymised user data, such as IP address, geographical location,
visited websites, and what ads the user has clicked, with the purpose of
optimising ad display based on the user's movement on websites that use the
same ad network.
Expiry: 1 yearType: HTTP
* Quantcast
1
Learn more about this provider
mcCollects data on the user's visits to the website, such as what pages have
been loaded. The registered data is used for targeted ads.
Expiry: 13 monthsType: HTTP
* Simpli.fi
2
Learn more about this provider
suidCollects information on user preferences and/or interaction with
web-campaign content - This is used on CRM-campaign-platform used by website
owners for promoting events or products.
Expiry: 1 yearType: HTTP
suid_legacyCollects information on user preferences and/or interaction with
web-campaign content - This is used on CRM-campaign-platform used by website
owners for promoting events or products.
Expiry: 1 yearType: HTTP
* Sonobi
5
Learn more about this provider
__uihPending
Expiry: 1 dayType: HTTP
__uisUsed to track visitors on multiple websites, in order to present
relevant advertisement based on the visitor's preferences.
Expiry: 30 daysType: HTTP
_usd_intechopen.comPending
Expiry: 1 dayType: HTTP
HAPLB8GPending
Expiry: SessionType: HTTP
us.gifUsed to track the visitor's usage of GIFs - This serves for analytical
and marketing purposes.
Expiry: SessionType: Pixel
* Sportradar
4
Learn more about this provider
zuuidUsed to track visitors on multiple websites, in order to present
relevant advertisement based on the visitor's preferences.
Expiry: 1 yearType: HTTP
zuuid_kSets a unique ID for the visitor, that allows third party advertisers
to target the visitor with relevant advertisement. This pairing service is
provided by third party advertisement hubs, which facilitates real-time
bidding for advertisers.
Expiry: 1 yearType: HTTP
zuuid_k_luSets a unique ID for the visitor, that allows third party
advertisers to target the visitor with relevant advertisement. This pairing
service is provided by third party advertisement hubs, which facilitates
real-time bidding for advertisers.
Expiry: 1 yearType: HTTP
zuuid_luSets a unique ID for the visitor, that allows third party advertisers
to target the visitor with relevant advertisement. This pairing service is
provided by third party advertisement hubs, which facilitates real-time
bidding for advertisers.
Expiry: 1 yearType: HTTP
* TapTap
1
Learn more about this provider
SONATA_IDUsed to track the visitor across multiple devices including TV. This
is done in order to re-target the visitor through multiple channels.
Expiry: 1 yearType: HTTP
* VWO
1
Learn more about this provider
s.gifRegisters user behaviour and navigation on the website, and any
interaction with active campaigns. This is used for optimizing advertisement
and for efficient retargeting.
Expiry: SessionType: Pixel
* Xaxis
1
Learn more about this provider
t/v2/syncUsed for data-synchronization with advertisement networks.
Expiry: SessionType: Pixel
* Yahoo
2
Learn more about this provider
A3Collects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: 1 yearType: HTTP
sync/casalePending
Expiry: SessionType: Pixel
* Yandex
2
Learn more about this provider
bhPending
Expiry: 1 yearType: HTTP
yuidssCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: 400 daysType: HTTP
* YouTube
7
Learn more about this provider
LAST_RESULT_ENTRY_KEYUsed to track user’s interaction with embedded content.
Expiry: SessionType: HTTP
nextIdUsed to track user’s interaction with embedded content.
Expiry: SessionType: HTTP
remote_sidNecessary for the implementation and functionality of YouTube
video-content on the website.
Expiry: SessionType: HTTP
requestsUsed to track user’s interaction with embedded content.
Expiry: SessionType: HTTP
TESTCOOKIESENABLEDUsed to track user’s interaction with embedded content.
Expiry: 1 dayType: HTTP
VISITOR_INFO1_LIVETries to estimate the users' bandwidth on pages with
integrated YouTube videos.
Expiry: 180 daysType: HTTP
YSCRegisters a unique ID to keep statistics of what videos from YouTube the
user has seen.
Expiry: SessionType: HTTP
* Zeta Global
3
Learn more about this provider
eudRegisters user data, such as IP address, geographical location, visited
websites, and what ads the user has clicked, with the purpose of optimising
ad display based on the user's movement on websites that use the same ad
network.
Expiry: 1 yearType: HTTP
rudRegisters user data, such as IP address, geographical location, visited
websites, and what ads the user has clicked, with the purpose of optimising
ad display based on the user's movement on websites that use the same ad
network.
Expiry: 1 yearType: HTTP
rudsRegisters user data, such as IP address, geographical location, visited
websites, and what ads the user has clicked, with the purpose of optimising
ad display based on the user's movement on websites that use the same ad
network.
Expiry: SessionType: HTTP
* adform.net
adotmob.com
criteo.com
turn.com
4
uid [x4]Registers a unique user ID that recognises the user's browser when
visiting websites that use the same ad network. The purpose is to optimise
display of ads based on the user's movements and various ad providers' bids
for displaying user ads.
Expiry: 2 monthsType: HTTP
* adotmob.com
ads.avct.cloud
bidswitch.net
mathtag.com
4
uuid [x4]This cookie is used to optimize ad relevance by collecting visitor
data from multiple websites – this exchange of visitor data is normally
provided by a third-party data-center or ad-exchange.
Expiry: 13 monthsType: HTTP
* bidswitch.net
creative-serving.com
mfadsrvr.com
6
tuuid [x3]Registers whether or not the user has consented to the use of
cookies.
Expiry: 1 yearType: HTTP
tuuid_lu [x3]Contains a unique visitor ID, which allows Bidswitch.com to
track the visitor across multiple websites. This allows Bidswitch to optimize
advertisement relevance and ensure that the visitor does not see the same ads
multiple times.
Expiry: 1 yearType: HTTP
* casalemedia.com
stackadapt.com
6
sa-user-id [x2]Used to track visitors on multiple websites, in order to
present relevant advertisement based on the visitor's preferences.
Expiry: SessionType: HTTP
sa-user-id-v2 [x2]Used to track visitors on multiple websites, in order to
present relevant advertisement based on the visitor's preferences.
Expiry: SessionType: HTTP
sa-user-id-v3 [x2]Pending
Expiry: SessionType: HTTP
* cdn.ehealthcaresolutions.com
2
track/cmf/genericPresents the user with relevant content and advertisement.
The service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: SessionType: Pixel
w/1.0/cmPresents the user with relevant content and advertisement. The
service is provided by third-party advertisement hubs, which facilitate
real-time bidding for advertisers.
Expiry: SessionType: Pixel
* cdnintech.com
13
dmd-ahkCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Expiry: SessionType: HTML
LogsDatabaseV2:V#||LogsRequestsStorePending
Expiry: PersistentType: IDB
ServiceWorkerLogsDatabase#SWHealthLogNecessary for the implementation and
functionality of YouTube video-content on the website.
Expiry: PersistentType: IDB
yt.innertube::nextIdRegisters a unique ID to keep statistics of what videos
from YouTube the user has seen.
Expiry: PersistentType: HTML
ytidb::LAST_RESULT_ENTRY_KEYUsed to track user’s interaction with embedded
content.
Expiry: PersistentType: HTML
YtIdbMeta#databasesUsed to track user’s interaction with embedded content.
Expiry: PersistentType: IDB
yt-remote-cast-availableStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-cast-installedStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-connected-devicesStores the user's video player preferences using
embedded YouTube video
Expiry: PersistentType: HTML
yt-remote-device-idStores the user's video player preferences using embedded
YouTube video
Expiry: PersistentType: HTML
yt-remote-fast-check-periodStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-session-appStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
yt-remote-session-nameStores the user's video player preferences using
embedded YouTube video
Expiry: SessionType: HTML
* content.tapnative.com
2
adx_profile_guid [x2]Pending
Expiry: 4883 daysType: HTTP
* mediago.io
1
__mguid_Registers a unique ID that identifies a returning user's device. The
ID is used for targeted ads.
Expiry: 1 yearType: HTTP
* mfadsrvr.com
1
sshUsed to track visitors on multiple websites, in order to present relevant
advertisement based on the visitor's preferences.
Expiry: 400 daysType: HTTP
Unclassified 14
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
* Google
1
Learn more about this provider
GAIDPending
Expiry: 30 daysType: HTTP
* Index Exchange
1
Learn more about this provider
IXWRAPPERlib_memPending
Expiry: PersistentType: HTML
* Lotame
1
Learn more about this provider
panoramaIdTypePending
Expiry: SessionType: HTTP
* MED Snippets
6
Learn more about this provider
dmd-dgid [x2]Pending
Expiry: SessionType: HTTP
dmd-signal-#-#-#-#-#-#-#-#Pending
Expiry: 1 dayType: HTTP
dmd-ipPending
Expiry: SessionType: HTTP
dmd-macPending
Expiry: SessionType: HTTP
dmd-pidPending
Expiry: SessionType: HTTP
* cdnintech.com
3
latestViewedCollectionPending
Expiry: PersistentType: HTML
ActiveSessionPending
Expiry: SessionType: HTTP
s-dmd-id-xPending
Expiry: SessionType: HTTP
* www.intechopen.com
cdnintech.com
2
adx_profile_guid [x2]Pending
Expiry: PersistentType: HTML
Cross-domain consent[#BULK_CONSENT_DOMAINS_COUNT#] [#BULK_CONSENT_TITLE#]
List of domains your consent applies to: [#BULK_CONSENT_DOMAINS#]
Cookie declaration last updated on 2023-08-11 by Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Please state your consent ID and date when you contact us regarding your
consent.
Do not sell or share my personal information
Deny Allow selection Customize
Allow all
Powered by Cookiebot by Usercentrics
* Books
* Book Series
* Journals
* Publish
* About
* News
Author Panel Sign in
Menu
AI, Computer Science and Robotics Technology
Publish in Journals
Submission
* Getting Started
* Author Guidelines
* Publishing Process
* Paper Types
* Call for Papers
Policies
* Copyright and Licensing Policy
* Ethical publishing Practice
* Research Ethics and Reporting
* Autorship Policy and Criteria
* Competing Interests
* Disclosure of Funding
* Data Sharing and Availability
Manuscript Review and Publication
* Criteria for Publication
* Editorial and Peer Review Process
* Editorial Guidelines
* Guidelines for Reviewers
Articles
About
* Aims & Scope
* Editor in Chief
* Abstracting, Indexing & Archiving
* Bibliographic Information
* Open Access
* Contact
Editorial Board
AI, Computer Science and Robotics Technology
--------------------------------------------------------------------------------
Publish in journals
Submission
--------------------------------------------------------------------------------
Getting StartedAuthor GuidelinesPublishing ProcessPaper TypesCall for Papers
Policies
--------------------------------------------------------------------------------
Copyright and Licensing PolicyEthical publishing PracticeResearch Ethics and
ReportingAutorship Policy and CriteriaCompeting InterestsDisclosure of
FundingData Sharing and Availability
Manuscript Review and Publication
--------------------------------------------------------------------------------
Criteria for PublicationEditorial and Peer Review ProcessEditorial
GuidelinesGuidelines for Reviewers
Articles
About
Aims & ScopeEditor in ChiefAbstracting, Indexing & ArchivingBibliographic
InformationOpen AccessContact
Editorial Board
1. Journals>
2. AI, Computer Science and Robotics Technology
Open access peer-reviewed article
ADVERSARIAL AI TESTCASES FOR MARITIME AUTONOMOUS SYSTEMS
Mathew J Walter
--------------------------------------------------------------------------------
Aaron Barrett
--------------------------------------------------------------------------------
David J Walker
--------------------------------------------------------------------------------
Kimberly Tam
--------------------------------------------------------------------------------
This Article is part of THE SPECIAL ISSUE: APPLIED AI IN CYBER SECURITY, LED BY
EDUARD BABULAK, NATIONAL SCIENCE FOUNDATION (NSF), UNITED STATES OF AMERICA
Article metrics overview
254 Article Downloads
View Full Metrics
Article Type: Research Paper
Date of acceptance: March 2023
Date of publication: April 2023
DoI: 10.5772/acrt.15
copyright: ©2023 The Author(s), Licensee IntechOpen, License: CC BY 4.0
Download for free
Cite
Table of contents
--------------------------------------------------------------------------------
Introduction
--------------------------------------------------------------------------------
Background
--------------------------------------------------------------------------------
Adversarial AI in maritime autonomous systems
--------------------------------------------------------------------------------
AI security principles for MAS
--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------
Conflict of interest
--------------------------------------------------------------------------------
Acknowledgments
--------------------------------------------------------------------------------
ABSTRACT
Contemporary maritime operations such as shipping are a vital component
constituting global trade and defence. The evolution towards maritime autonomous
systems, often providing significant benefits (e.g., cost, physical safety),
requires the utilisation of artificial intelligence (AI) to automate the
functions of a conventional crew. However, unsecured AI systems can be plagued
with vulnerabilities naturally inherent within complex AI models. The
adversarial AI threat, primarily only evaluated in a laboratory environment,
increases the likelihood of strategic adversarial exploitation and attacks on
mission-critical AI, including maritime autonomous systems. This work evaluates
AI threats to maritime autonomous systems in situ. The results show that
multiple attacks can be used against real-world maritime autonomous systems with
a range of lethality. However, the effects of AI attacks vary in a dynamic and
complex environment from that proposed in lower entropy laboratory environments.
We propose a set of adversarial test examples and demonstrate their use,
specifically in the marine environment. The results of this paper highlight
security risks and deliver a set of principles to mitigate threats to AI,
throughout the AI lifecycle, in an evolving threat landscape.
KEYWORDS
* maritime cyber security
* adversarial AI
* maritime autonomous systems
Author information
Show
1.
INTRODUCTION
In recent years artificial intelligence (AI) has been utilised to automate many
operations and processes abound in academia and industry. One globally crucial
industry is maritime, which recognises the plethora of benefits automation could
bring over contemporary vessels; these include reduced crew requirements, ease
and optimisation of processes, increased crew safety, the possibility of
significant operational cost reduction, and emission reduction [1–7]. Therefore,
it is seemingly indisputable that greater automation, and hence the utilisation
of maritime autonomous systems (MAS), will play a significant role in the
maritime industry in future years. Furthermore, the development of these systems
has already been initiated; for example, the work of [8] developed a
reduced-crew autonomous ocean-travelling ship. Other work, such as the Mayflower
autonomous ship, intends to be fully automated [9]. The Yara Birkeland project,
based in Norway, has also seen successes with automated coastal hopping but with
open questions around the cost of insurance, cyber security, and
contingencies [7]. The Royal Navy is also making great use of uncrewed surface
vessels (USV).001
Much of the advanced automation will be the product of AI, given its proven
success, particularly in optimisation, clustering, classification and
regression. However, whilst AI has great potential for significant benefits, the
nature of subsymbolic AI makes the process of understanding the solution
generation mechanism difficult to interpret, yielding a black-box nature,
particularly so for deep neural networks relying on billions of parameters, in
addition to the high-dimensional phenomena. Therefore, AI has been documented to
be a security risk with the term adversarial AI (AAI) coined for the misuse of
AI. The fields of AAI and eXplainable AI (XAI) have shown the dangers and safety
risks poor development of mission-critical AI can exhibit, in some cases leading
to the possibility of fatalities [10]. AI can be used to automate attacks on
other technologies, as well as being a technology that can be vulnerable to
attacks. AI can be attacked with multiple opportunities through the whole AI
development process to the deployment of AI technology. What is more concerning
is the lack of existing literature which considers AAI in the risk assessments
and security of MAS, all whilst we are seeing increasing examples of adversarial
AI [11, 12].
In this paper, the authors consider the threat of AI over a multi-domain
literature analysis to parameterise AAI specific tests designed to strengthen
MAS development. First, we consider the threats of today and the future that AI
in the maritime environment may face. Given that AI for both land-based and
air-based operations overlap but are not identical, this indicates that the
challenges brought on by a marine environment (e.g., water distortion and
reflections) will also have its own unique subset of challenges. By examining
each class of MAS AI for vulnerabilities to AAI during its lifecycle, the
authors are able to theorise a set of test cases. These can then be used to
increase safe, reliable, and trustworthy AI solutions for maritime operations.
Finally, we propose best practices to secure MAS within maritime environments.
Ultimately, this research aims to highlight the fast-approaching dangers of
ubiquitous AI/automation in MAS and motivate the inclusion of AAI in MAS risk
assessment to mitigate against the dangers to all MAS stakeholders.
This paper offers the following novel contributions:
1. (1)
A start-to-end lifecycle evaluation of AAI threats against maritime
autonomous systems in situ;
2. (2)
A comprehensive review and evaluation of AI threats to MAS considering the
AAI and MAS literature;
3. (3)
Case examples to support high-fidelity real-world tests over laboratory
environments for AAI;
4. (4)
Principles to better secure MAS against AAI and ways to enhance MAS AI
security across its lifecycle.
The paper is structured as follows: Section 2 critically reviews existing
literature across multiple domains to understand the current state of the art.
We consider AI in autonomous maritime systems and then examine the threat of
adversarial AI in that context. Section 3 considers the types of AI used in MAS
and the existing threats to these systems. Section 4 presents an evaluation and
analysis of general adversarial principles to MAS. Finally, we conclude and
provide further work in Section 5.
2.
BACKGROUND
2.1.
AI IN MARITIME AUTONOMOUS SYSTEMS
2.1. 1.
SENSORS AND INSTRUMENTS
Shipping is a crucial part of global trade, accounting for nearly 90% of
international trade [13]. Waterborne vessels are also critical for human
transport, naval defence, and scientific exploration and monitoring of the seas
and inland bodies of water. The successful automation of shipping and other
maritime operations and services could bring significant advantages over
contemporary vessels. Many of these advantages include reducing costs and
increasing safety. For example, having no crew aboard ameliorates human factor
errors, safety from dangerous working conditions and adverse weather,
captivity/attacks from pirates or criminals, more socially supportive conditions
and even a reduction in the transmission of some pathogens. Other advantages
include cost savings via not having to employ crew, more storage capacity,
cheaper development of vessels (crew facilities and living spaces not required),
and more economical and environmentally friendly vessels [14]. Some of these
benefits, especially crew physical safety, can be obtained, to a reduced degree,
with remote unmanned vessels. However, higher tiers of autonomy are needed to
maximise these benefits. Furthermore, remote systems would be susceptible to
many cyber security attacks, such as jamming and hacking the remote
communication [15].
Maritime autonomy can be categorised into different levels, similar to the way
autonomous cars and advanced air mobility (AAM), i.e., drones and aircraft, are
defined. For example, the Maritime Safety Committee (MSC) of the International
Maritime Organisation (IMO) categorises autonomy into four levels. Level 1
pertains to vessels with autonomous components which support the vessel’s crew.
Level 2 vessels also have crew aboard to support operations, but a remote
control centre operates the vessel. Level 3 vessels are remotely controlled and
unmanned. Level 4 vessels are unmanned and fully autonomous. In this work, we
will consider only level 4 systems. Other organisations also provide different
autonomous level systems, e.g., [8].
As the work of [16] suggests, autonomous systems consist of perception and
control elements. Perception elements can be considered the sensors or systems
that collect information to be used by the control elements that control the
vessel’s actions. Contemporary vessels usually have a number of sensors on board
to support crew decisions, therefore, leading to an existing framework for
autonomous systems (although some sensors may require adaptation in MAS). These
sensors and systems include; RADAR (radio detection and ranging) to find,
usually large, objects with radio waves. The velocity of the object can be
determined with doppler RADARs; object detection can be done with other sectors
of the electromagnetic spectrum, such as light detection and ranging (LiDAR),
which uses infrared light from lasers—these small wavelengths can detect smaller
objects and more accurately detect features but at shorter ranges. Echosounders
can be used in a similar way to RADAR and LiDAR; however, echosounders use sound
pulses to detect underwater objects, such as the depth of the water.
Echosounders can be forwards (or laterally) looking as well as vertical to
assist in collision avoidance. Multibeam echosounders can give a 3D point cloud
which can be geolocated with millimetric accuracy using RTK GNSS. Measuring echo
return backscatter can give useful data about detected objects that go beyond
purely the range and baring, giving details about the nature of the detected
surface. CCTV/IR/multispectral cameras can be used to detect close-range
objects, such as coastal landmarks or objects in the water, akin to LiDAR;
furthermore, multiple cameras can be used to triangulate and detect the range of
objects; objects can also be captured in colour at high resolution. An array of
microphones can be used to detect audio cues on a vessel but may be disrupted by
a lot of audio noise, such as the sound of waves, wind and other vessels.
Directional microphone arrays are now available that can indicate the range and
bearing of remote sounds. These will be essential in the future for autonomous
vessel to perceive the direction of sound signals. Automatic identification
system (AIS) uses very high frequency (VHF) radio to transmit and receive vessel
locations and vessel data. Global navigation satellite systems (GNSS) (such as
GPS or Galileo) can support dynamic positioning (DP) systems and location
services. Electronic chart display and information system (ECDIS) renders
charting information. Vessels can contain weather sensors (barometer,
temperature, wind speed etc.). Vessels often contain systems for broadband and
3G/4G/5G, as well as VHF for communication. Cargo supervision systems often host
an array of sensors such as internal temperature, humidity, smoke detectors.
When considering shipping, sensors for monitoring cargo (e.g., food, gas, oil,
passengers) are often specific to the specific maintenance needs of that cargo.
Vessels often also contain fault diagnosis and voyage data recorder (VDR)
systems that store sensor data for post-incident analyses.
Vessels may also contain specialist sensors unique to the vessel type, which
determines its size (e.g., gross tonnage), area of operation (e.g., Arctic), and
cargo type (e.g., fertilizer). Vessels could also use AI in airborne, surface or
subsurface drones to extend sensor range. Studies also show the benefits of
multi-sensor perception systems [16], which increase the accuracy of the
available data by using multi-systems, e.g., a small object may not be detected
by RADAR but instead detected by the camera through cross-validation of system
data. Multiple sensors can also support an element of redundancy. Additionally,
the challenges of detecting objects in their natural environment, for example,
both on the surface of the water and subsurface, yields difficulties. The water
itself can cause confusing distortions but also presents an arduous environment
for the physical devices (e.g., salt corrosion).
2.1. 2.
ARTIFICIAL INTELLIGENCE
In fully autonomous maritime systems, AI is used to support, supplement, or
replace crews in automating the operations of the vessel. The AI takes sensor
data as input and makes decisions to automate the vessel’s processes. Different
AI types are required for different systems because of the range of tasks
required by a fully autonomous marine system. The sensors previously discussed
can be used as input features to support AI systems to safely navigate the ocean
and maintain the functionality of the vessel. However, there exists an overlap
in technology, e.g., in order to avoid objects, one requires a degree of
situational awareness. We next consider AI for autonomous systems, as
categorised in [8], which consists of several AI technologies connected to a DP
system that controls the vessel. These technologies include:
* Situational awareness (SA)—the SA component is required to determine the
vessel’s real-time location and the vessel’s environment (for example, the
detection and range of objects). SA modules may also use natural language
processing (NLP) to interpret incoming communications. This AI system can use
a number of different types of methods and algorithms, such as convolutional
neural networks (CNN), region proposal networks (RPN) and sensors to detect
landmark objects and navigational cues such as coastal features or
buoys [17]. In addition, the AI system could be supported by other non-AI
systems, such as GNSS, to cross-validate the vessel’s location.
* Collision avoidance—uses SA information and prevents the vessel from
colliding with objects. These systems use computer vision object recognition
to detect objects (SA module output) and feed into the local autonomous route
planning modules to change the vessel’s trajectory to avoid a collision. Some
AI technologies used are CNNs [18] to locate objects and support vector
machines (SVMs) which have previously been used to output a new trajectory to
prevent collisions [19].
* Global autonomous optimal planning modules—ensure the vessel’s movement along
the optimal route; an optimal global route may depend on many objectives such
as the quickest route, most fuel-efficient, economical and safest route
(e.g., weather, global tensions, piracy). The common algorithms utilised are
evolutionary algorithms (EAs) which can evolve optimal high-dimensional
solutions, particle swarm optimisation (PSO) and ant colony optimisation
(ACO), which use the emergence properties of nature to find optimal
solutions [20–22].
The vessel may also include AI to support specialist tasks such as auto
berthing/mooring and engine condition maintenance which assist with the general
functionality of the vessel. Other examples include Gaussian processes, neural
networks, Bayesian modelling, and active learning that can be used for anomaly
detection in autonomous vessels to detect deviations and unexpected events [17].
2.2.
ADVERSARIAL AI
The advancement and ever-increasing size of neural networks increase the
complexity of applications supported by AI. However, as the complexity of the
model increases, explainability and hence the interpretability of the model
decrease [23]. The lack of explainability for complex models, combined with
high-dimensional phenomena and poor security principles, can give rise to
adversarial AI. The work of [24] was one of the earliest to recognise that
neural networks yield properties that can be vulnerable to adversarial attacks,
and a 2023 survey paper identified 32 offensive AI capabilities [25].
Governments globally have begun to recognise the threat; notably, the 2021 U.S.
National Security Commission on AI stated, “the U.S. government is not prepared
to defend the United States in the coming artificial intelligence (AI) era”.
Many other countries are preparing for an Adversarial AI (AAI) wave by
developing frameworks which attempt to secure AI systems [26, 27]. Furthermore,
academic authors [11] have highlighted that “the number of adversarial attacks
will continue to increase in the future as the economic benefits trend”. As of
now, adversarial AI has been demonstrated in a number of applications to support
social engineering/spear phishing [28], biometric spoofing [29], computer vision
object recognition [30–32], malware development avoiding network
detection [33–36], NLP [37, 38], and attacks on cloud APIs [39] to name a few.
We recognise AI can be, and has been, used as an attacking tool, e.g., the
automation of conventional cyber attacks, side-channel analysis, creation of
deepfake media, OSINT collection and analysis. However, these more active AI
threats are outside the scope of this paper. Instead, we focus on the inherent
vulnerabilities within AI systems processes (in particular, threats to maritime
autonomous systems), and how AAI tests can reveal those vulnerabilities to the
developer. The primary adversarial goals of AAI are to attack the
confidentiality, integrity and accessibility (CIA) triad for ML processes of AI
systems.
1. (1)
Confidentiality—sensitive data can be used during the training phase of the
model and has been shown to be extractable from the model [39, 40]. This is
of particular concern to a model which uses sensitive data (such as
governments) and personal data (privacy concern). Furthermore, data is one
of the most valuable resources in modern times [41] and developing AI can be
a long and expensive process which could be bypassed with large financial
gain by stealing the intellectual property (IP) of the model. As MAS is a
new area of growth globally, competition is significantly high.
2. (2)
Integrity—often involving the attacker aiming to get the AI system to
misclassify an input to a specific target or any other false target,
usually, so the system carries out an intended adversarial action such as
allowing malicious traffic to pass through a network AI-based IDS [42]. This
is a concern with physical object evasion in mission-critical AI, such as
naval mine detection, for which an attack could damage the integrity of the
AI.
3. (3)
Accessibility—this adversarial goal is similar to denial of service type
attacks where the attacker usually intends to cause high numbers of
misclassification to deem the AI inoperable or cause a serious
misclassification such as changing the interpretation of a perturbed stop
sign; this should prevent the use and access of the AI [43].
These terms can overlap with the risk and threat commensurate with the
application of the system, e.g., attacks on mission-critical AI posing the
greatest threat. Before we consider the different types of existing attacks on
AI, we introduce some key terms, namely, closed-box algorithms and open-box
algorithms. We note particular confusion with the term black-box algorithm—in
the general AI literature, black-box often refers to the poor interpretability
of AI models—that is, given the model architecture, hyperparameters and even raw
weight values, the combination of interpreting billions of weight values, makes
the algorithm difficult to interpret the inner workings (how a prediction is
being made by some instance passed through the model). However, the use of the
term black-box in the adversarial AI literature appears to take a slightly
different meaning which is that the attackers of the AI systems do not know any
of the model’s architecture, hyperparameters and weights but merely have access
to only a model API input and the final result. In this and future sections, we
instead use the term closed-box AI which will refer to the attacker only having
access to the model inputs and outputs. In contrast, open-box will refer to
having access to the inputs, outputs and also all the model’s parameters and
architecture. AAI survey papers use a range of nomenclature to classify attacks.
We now consider some of the most prominent adversarial AI methods disclosed in
the AAI literature. We note that a large proportion of these methods are
relevant to computer vision, and this is considered as one of the primary AI
concerns in the near future [25]. Adversarial attacks are not limited to the
post-deployment stage and can be attacked in earlier development stages of the
ML pipeline. We categorise this literature into attacks that are performed in
pre-deployment and -post-deployment stages.
In the pre-deployment stage, an attacker is concerned with altering the
development of the AI model, known as poisoning attacks. These attacks can have
a lasting effect on the model through the rest of the model’s lifespan. Some key
pre-deployment attacks include manipulating training data; this can be done by
poisoning the training dataset. The motives for this attack could be the
misclassification for evasion and misclassification to lower the classification
rate. This can be done by changing the distribution of the training dataset by
modifying feature values or injecting new training samples [44], as well as
changing the training labels [45].
The post-deployment methods are more concerned with evasion and inversion
attacks. Model extraction and model inversion attacks aim to acquire information
about the model. Given the time-consuming and expensive training to collect
data, preprocess and train a model, the information could include sensitive data
points or information about the model’s architecture to steal proprietary
information or sensitive data [46, 47]. Furthermore, if one is able to recreate
an accurate surrogate model, then one could use the model to create adversarial
examples in an offline environment where one is more stealthy and able to avoid
the actions being logged.
The most well-documented AAI literature is the evasion methods post-deployment,
so we discuss these in detail. One of the earliest methods was the work of [24],
which proposed perturbing samples to obtain a misclassification by the ML model
during the deployment stage. The change to the sample was a minimisation
optimisation problem which intended to make a minimal change (so that it was
undetectable by the human eye) but enough to cause a misclassification. In order
to optimise this problem, one needs to know the direction of sensitivity (e.g.,
positive/negative perturbations, perturbations of which features) and the
magnitude to perturb (usually as small as possible). The work introduces the
L-BFGS algorithm (the acronym is the author’s initials), which was a method to
solve the problem formulated as,
(1)
where f is the model’s cost function, and Y is the true label of the instance X.
The work also considers the disputed reasons for adversarial examples. They note
that the cause of adversarial samples is the result of linear behaviour in high
dimensional space [48]. The authors interestingly note a small perturbation to
many features of an instance can be far greater than a larger single feature
perturbation (such as the one-pixel attack [49]), which uses differential
evolution to evolve solutions which intend to change one single pixel in the
image. Although this method was fast to compute, the samples generated were
often non-functional. Later, three variants of FGSM were developed; namely,
one-step target class, Basic Iterative Method (BIM), and Iterative Least-Likely
Class Method (ILCM) [50]. The one-step method changes the Y value in
equation (1) from the true label to the desired class label and sets the
equation equal to Y . Therefore the algorithm considered perturbing toward a
specific class rather than just away from the true class. The BIM method
considers equation (1), but instead iterates the algorithm over small step sizes
which can produce numerous adversarial examples. Finally, ILCM also considers an
iterative version of equation (1) but considers perturbing toward the class with
the lowest recognition probability. DeepFool [51] is another tool which uses an
iterative process to generate adversarial examples to create samples of an image
which eventually crosses the class decision boundary.
Instead of gradient descent methods, Jacobian Based Saliency Maps (JSMA) [52]
consider the Jacobian of a function matrix (forward derivative), i.e., how does
a feature (pixel) change affect the change of a class probability? The saliency
map is commonly used in the XAI literature to detect which pixels are making the
most significant contributions to the model’s prediction and hence which input
features should be perturbed for a desired effect on model output—this map is
usually utilised to craft adversarial samples or can be superimposed over the
original image as a heatmap. JSMA allows for source-to-target class adversarial
sample creation. Using the Jacobian of the model can allow one to determine the
sensitivity of a model for specific inputs, i.e., greater sensitivity means
perturbations have larger effects on the model’s prediction of a class. To use
JSMA, one must calculate the forward derivative matrix, also denoted the
Jacobian j of the learned function F. This is defined in the original work as:
(2)
for inputs x1, x2 and F(X) providing the model output. A salience map S(X, t)[i]
can then be computed with the formulae:
(3)
This limits the Jacobian to be positive (positive effect of the pixel on
classification) to decide if input feature i should be perturbed for an
adversarial effect on the model. The work showed not all areas of the search
space are equally difficult for crafting adversarial samples and that certain
source-to-target class pairs are easier to craft than others. For this attack,
only the model’s output and inputs (closed-box) are required to calculate the
Jacobian and create a saliency map. Other attacks include using EAs and PSO to
optimise the problem [53] and generative adversarial networks GANs, such as
AdvGAN [54], which is used to generate adversarial examples. Furthermore, there
exists a range of open-source tools to enact these perturbation attacks.
In this work, we also consider patch-based attacks [55] which are a prevalent
evasion attack within the literature. These attacks involve generating a highly
salient digital or physical patch that can be applied to the image or physical
environment to avoid object detection models [56–60] and classification
models [55] by being more salient than other objects in the image and refocusing
the attention of the model to the patch [55]. Cyber-physical patch attacks are
often formulated as an optimisation problem akin to perturbation attacks. The
problem can be formulated as [57],
(4)
where we aim to generate a patch P where A (P, x, l, t) is the input taking a
transformation function A which applies the patch using the original image x,
location l and rotation/scaling transformation t. We aim to maximise the loss
function of the probability of classifying the input A to true classification
label . The resulting optimisation formulates an adversarial patch which is
superimposed onto the original image and inputted into the model. Common
patch-based attacks include DPatch, which is a closed-box adversarial patch
attack for object detection models, and the work of [61] considers dynamic
patches (video), to name a few.
3.
ADVERSARIAL AI IN MARITIME AUTONOMOUS SYSTEMS
We now consider evaluating the threat to ML systems utilised to operate
autonomous systems in the maritime environment. Most of the adversarial attacks
have been evaluated only in a limited laboratory environment; we aim to evaluate
these attacks in the real world where the effects are unknown, yet have the
greatest potential for impact. This is highlighted as a primary challenge of
adversarial AI by adversarial AI authors, including in the literature survey
of [62] “[the] need to verify the attack effect in real physical scenarios” and
“the current defence technology research lacks the practice in the real world”.
We demonstrate these attacks in the MAS environment and provide the results and
analysis to highlight the effects and practicability of these attacks in the
real world. Where appropriate, we visually show some of these attacks in this
work. While these threats consider adversarial attacks on AI, conventional cyber
security attacks are just as pertinent. Furthermore, some AAI attacks require
one to employ AAI and conventional cyber security attacks in unison. Also,
conventional security, such as unpatched software and the jamming/spoofing of
sensors, can affect both conventional cyber security and AAI-based security. The
focus of this work only considers the nascent domain of AAI in MAS, which
comprises very limited literature. Notably, in the literature review to date, we
found a single publication [63] considering a few theoretical AAI attack
possibilities against MAS.
In this publication, we will use Microsoft’s failure modes in the ML
framework [64] to comprehensively evaluate the type of threats to MAS and
provide context to the maritime environment. Microsoft’s failure modes in the ML
framework categorise AAI attacks into a possible 11 classifications; we list
these below. We provide several proof-of-concepts with this list. These are not
intended to be an exhaustive set but to demonstrate the usefulness and
feasibility of MAS AAI.
Class 1:
Model inversion—Even if one is able to secure and protect the knowledge the ML
uses to make an output, such as the features used during prediction, one may be
able to query the model to determine the model’s prerequisite features in a
model inversion attack. Whilst this does not threaten the model’s functionality,
it could be used in the form of reconnaissance to support a future attack.
Therefore, the attack is an abuse of the confidentiality of the system.
Class 2:
Perturbation attack—In a perturbation attack, the attacker crafts a query which
is submitted to the ML algorithm and the ML algorithm actions the attacker’s
desired response. For example, an attacker could evolve an adversarial data
example with an EA, possibly in some underrepresented area/tail of the
probability occurrence distribution or a near boundary instance, which causes
the collision avoidance system to output a false negative in a busy port and not
make an appropriate collision avoidance maneuver. This threat has high
consequences; it could be relatively simple to achieve the attack but requires
access to modify (or create adversarial inputs and block the legitimate traffic)
the input to the ML model—conventional cyber attacks could be leveraged to
support this. An example of this attack can be seen in figure 1 and figure 2, it
should be noted that the accuracy of the adversarial sample appears correlated
with the quality of the original image. Therefore using low-resolution cameras
may be more susceptible to attack as well as reducing the model classification
accuracy.
FIGURE 1.
Adversarial perturbation attack sample was generated for a pre-trained
MobileNetV2 image classification model. The input sample, a submarine image, is
predicted as a submarine by the model, providing a confidence value of 80.15%.
The adversarial sample is predicted as a llama by the model, providing a
confidence value of 10.74%. The FGSM attack with 𝜖 = 0.1 was set.
FIGURE 2.
Adversarial perturbation attack sample was generated using real-world data on a
pre-trained FasterRCNN object detection model. The input sample, a warship, is
predicted as a vessel by the model, providing a confidence value of 98.87%. The
adversarial sample is predicted as multiple incorrect objects by the model with
the greatest prediction of person, providing a confidence value of 99.33%. The
projected gradient descent attack with the maximum allowable pixel-wise
difference between the original image and the adversarial image set at 32. Both
the FasterRCNN and YOLOV3 model used in this work was trained on the COCO
dataset labelling all ships, marine vessels and boats under the classification
of ‘boat’.
Class 3:
Membership inference—The attacker may be able to infer whether a data instance
is a constituent of the training data used to train a model, potentially a
breach of privacy.
Class 4:
Model stealing—Through querying the model, the attacker may be able to determine
information about the model parameters and architecture. With this information,
the attack could recreate the model and essentially steal the model/IP. This
could save the attacker time and money having to develop the model themselves;
this also could be used to turn a black-box model into a white-box model for use
with other attack methods. An adversary who steals a MAS model could recreate
the model and perform offline attacks (non-logged events) for greater stealth
and create more efficient and accurate attacks before applying it to the real
online model.
Class 5:
Adversarial example in the physical domain—An adversarial example in the
physical domain is akin to a perturbation attack. It considers modifying
physical properties; for example, an attacker could spoof certain sensor inputs
to confuse the MAS vessel and cause a change in the vessel’s trajectory or one
could paint a signature on a hostile ship that the searching MAS CNN recognises
as a benign object. Example patch attacks can be seen in figures 3 and 4.
FIGURE 3.
Adversarial patch attack sample generated to attack the common pre-trained
ResNet50 image classification model. The input sample, an image of an
anti-shipping missile, is predicted as a missile by the model, providing a
confidence value of 61.12%. An adversarial patch (b) is provided physically
(e.g., as a sticker) or to the input image to change the classification
prediction to a spotlight by the model, providing a confidence value of 20.74%.
The patch attack [55] method was used. The patch size and shape can be optimised
to increase the model classification (although out of scope for this research
paper).
FIGURE 4.
A real-world adversarial patch attack sample [56] generated to attack the common
pre-trained YOLOv3 object detection model. The input sample, an image of two
vessels, is predicted as a vessel by the model, providing a confidence value of
99% and 92%. An adversarial patch (b) is provided digitally or physically (e.g.,
as a sticker) to change the detection prediction to a zebra by the model. Notice
the patch can interfere with the prediction and hide nearby objects, such as the
second ‘boat’, i.e. vessel, on its right in the photo. The patch does not need
to be significantly large but can be closer to the camera than the evading
objects to produce the desired effect.
Class 6:
Malicious ML provider recovering training data—Akin to a membership inference
attack, the attacker may be able to infer the training data used to train a
model. The difference from this attack is that the attacker can use queries to
derive training data which could potentially be a breach of privacy. The data
could contain sensitive information, breach confidentiality, and support
model/IP theft.
Class 7:
Attacking the ML supply chain—In this attack, the attacker could interfere with
elements of the ML lifecycle. For example, capturing training/testing data and
retraining new models can be resource-heavy (time and cost); therefore,
engineers optimise time by reusing models (transfer learning) and existing
datasets. This creates a vector for attackers to manipulate data and models. For
example, a model intended to be shared and reused for developing navigational AI
could have neurons injected, which cause the vessel to change course given
specific spoofed input signals.
Class 8:
Backdoor ML—One could create a backdoor utilising the innate poor
interpretability of an extensive neural network. For example, one could inject
specific neurons or alter existing neuron weights to minimise the noise in the
object detection CNN model but render a backdoor so that, given a specific input
(a hostile vessel), a model predicts a desired output (misclassify). This could
damage both the integrity and confidentiality of the ML model.
Class 9:
Exploit software dependencies—This considers the conventional attack surface of
software more generally. This could require an attacker to corrupt ML libraries
or exploit buffer overflow attacks in the developing software (e.g., labelling
application).
Class 10:
Reprogramming the ML system—In this attack, the attacker takes the existing ML
model and uses it to perform a nefarious task.
Class 11:
Poisoning attack—Poisoning attacks involve manipulating the training data of the
ML model. One could manipulate by injecting new values, new samples, or
modifying the feature values or/and labels of the training data. This could be
executed to reduce the integrity and availability of the ML model. For example,
changing the distribution of the training data or injecting chaff data creates a
high misclassification rate and hence reduces the integrity of the system; this
could render a denial of service type attack. A MAS-related example could be
that for a MAS search vessel, the images or acoustic signals of a certain
hostile ship are incorrectly classified. This attack requires access to the
training phase of ML development and so is more difficult to achieve than other
attacks. It is also more likely that an attack to cause large misclassification
for many classes would be noticed during the testing phase of the model’s
development. An example of AIS poisoning can be seen in Table 1.
Time stamp MMSILatitude LongitudeSpeedIMONameDestination 05/01/2021
01:3420950401127.09833−79.8878315.157929517411CONTSHIP ICEUSMIA 05/01/2021
01:5020950401127.05333−79.8858315.157929517411CONTSHIP ICEUSMIA 05/01/2021
02:1020950401126.99783−79.8838315.157929517411CONTSHIP ICEUSMIA 05/01/2021
06:0420950401126.33928−79.9222914.757929517411CONTSHIP ICEUSMIA 05/01/2021
06:1020950401126.32417−79.9231714.657929517411CONTSHIP ICEUSMIA 05/01/2021
06:1520950401126.31133−79.9238314.857929517411CONTSHIP ICEUSMIA 05/01/2021
06:2020950401126.29667−79.9248314.657929517411CONTSHIP ICEUSMIA 05/01/2021
06:2520950401126.28433−79.9253314.757929517411CONTSHIP ICEUSMIA 05/01/2021
06:30209504011 26.269−79.92614.857929517411CONTSHIP ICEUSMIA 05/01/2021
06:35209504011 26.256−79.9266714.857929517411CONTSHIP ICEUSMIA 05/01/2021
06:4020950401126.24117−79.9271714.857929517411CONTSHIP ICEUSMIA 05/01/2021
06:45209504011 26.227−79.9276714.657929517411CONTSHIP ICEUSMIA 05/01/2021
06:5020950401126.21433−79.9281714.557929517411CONTSHIP ICEUSMIA 05/01/2021
06:5520950401126.19967−79.9288314.757929517411CONTSHIP ICEUSMIA 05/01/2021
07:0020950401126.09457−79.9995514.657929517411CONTSHIP ICEUSMIA
TABLE 1
A sample of poisoned AIS data. The Maritime Mobile Service Identity (MMSI)
number was altered (the last two values were modified), and the vessel velocity
was modified using the velocity standard deviations. The GPS coordinates can be
replaced with other vessels’ coordinates. Poisoned data can be used to poison
the model during training or spoof existing situational awareness AI.
3.1.
EXPERIMENTAL SETUP AND FINDINGS
In order to test the proof-of-concept adversarial perturbation and patch
attacks, we examined and collected the relevant data from Plymouth sound (UK
territorial waters). The vessel used four Omega 1080p cameras which can collect
video media that can be fed into an object detection computer vision model at
either the vessel or remote centre side. The camera array was mounted on a
manned vessel, but in a way that it would have the same view of its immediate
surroundings as a USV would. Refer to the figure captions for the specific
models used and parameters to generate relevant attacks.
The primary findings of the study showed that the lab-developed attack methods
worked well in a controlled environment. However, when performing these same
attacks in a complex and dynamic environment like the sea, the effectiveness of
the attacks varied more significantly. Just as the type of AI most effective
depends on the environment and application of the model, so does the type of
attack. The quality of the onboard cameras made object detection and hence
evasion more difficult. The object’s range from the camera influences the
model’s effectiveness and evasion. At sea, water distortion, water on the lens,
and vibrations of the vessel also added to this effect. Lighting was another
important variable where the position of the natural light could cause
difficulties. One can observe in figure 2a and figure 4 different effects of
light taken within an hour window on both the model accuracy and attack
accuracy. We also consider the possible application of these attacks, for
example, perturbation attacks, which would require the precise distortion of the
input for misclassification—this would require access to the model input, which
could be challenging in a marine environment. Furthermore, the generation time
of the perturbation map for many attacks would generate significant delays to
the input image—making it an unlikely vector of attack until more sophisticated
and faster methods can be developed. This additional complication means one can
not be certain of the effects and limitations of the AAI without evaluating the
AI in the natural environment and application of the AI.
Other attacks, such as the patch attack seemed far more likely to be used in a
real-world attack. For example, the patch could be physically placed on or near
an object and surrounding objects (even objects not covered by the patch) would
appear hidden to the model. This is potentially a way for attackers to evade and
hide from object detection models. The patches also have a degree of
transferability between models. However, from experimentation, the size and
placement (camera-angle-distance relationship) alter the effect of the patch
attack. The strength of the patch detection and distance from other objects also
affect this hiding/evasion property of nearby objects. Patch attack of an image
classifier is easier to achieve than of an object detection model but less
practical as MAS are more likely to use object detection (for detecting multiple
objects in frame) than image classification. For many of these reasons, we
strongly advocate the testing of these methods and future novel methods in a
more dynamic environment to gauge the real-world impacts of such attacks.
3.2.
AI LIFECYCLE
The ML development process has a whole lifecycle, denoted MLOps (analogous to
DevOps shorting of development operations), commonly understood as defining the
problem, data acquisition, data preprocessing, model training, model testing and
post-deployment ops. Different attacks can occur at different stages in the
development of the model, so each stage and transfer between stages are
vulnerable. One could corrupt the environment during the early stages of data
collection, manipulate the data preprocessing functions, exploit the hardware
(particularly GPUs and CPUs) during training, obfuscate backdoors in transfer
learning models and craft adversarial samples during deployment. In figure 5, we
illustrate the process of the ML pipeline and the possible known types of
attacks discussed previously.
FIGURE 5.
The machine learning lifecycle and adversarial AI attack types.
The attacks are considered at the various common stages of ML development;
however, it is possible for other attacks to be performed in the interim stages
of the ML cycle and for vulnerabilities to exist during the ML stage transition.
For example, a data poisoning attack could occur when recalled by the training
software immediately before model training. We can also see from the diagram
that the majority of attacks are focused on the deployment stage of the model’s
lifecycle.
4.
AI SECURITY PRINCIPLES FOR MAS
This section considers existing AAI attacks in maritime autonomous systems
(Section 3) to create principles to secure maritime autonomous systems. Based on
the eleven attack categories, we propose seven secure MAS principles, each with
the objective of mitigating the respective AAI attack threat.
There is no one size fits all method of adversarial defence and risk assessments
should be considered at the beginning of the ML development process to determine
the types of risks, threats, data and the use case of the AI system. It should
also be noted that whilst following the suggested principles for maritime
autonomous systems provides a degree of security, this will not completely
secure the systems from all possible attacks; one reason for this is that a
model would need to produce a safe mapping from output to all possible inputs
which is an NP-hard problem. Furthermore, the adversarial AI threat is a
fast-evolving landscape, and it is likely the case that novel threats will be
detected over the coming years. These AAI principles have been generated by the
authors for MAS AI based on the findings of this work and aim to reduce the real
threat surface this industry faces. These principles for secure AI in maritime
autonomous systems are as follows:
1. (1)
Enforce strong conventional cyber security principles—In addition to strong
adversarial AI defences, conventional security methods can complement AI
security. This is why the first principle is to create strong conventional
cybersecurity. At this early stage in AI development, attacks utilising poor
conventional security practices (e.g., unpatched ML libraries) are the most
likely vectors of attack. Good countermeasures include blocking bad internet
protocol addresses, using CAPTCHA before inputs can be made and
throttling/limiting queries to the model. Log inputs and events. Ensure ML
libraries and systems are patched and up to date. Limit user access to the
model and implement least privilege authority practices. Secure
acquisition/storage/transport/decommissioning of model and data can prevent
transfer learning/data/model poisoning-based attacks. These strong
conventional security measures can protect against Reprogramming ML,
attacking the supply chain, and exploiting software dependencies threats.
2. (2)
Develop risk assessment/security assessment before starting ML
projects—Whilst this is a property of enforcing strong conventional cyber
security, it was too important not to have its own principle. Consider the
application of the ML, the types of ML and their associated vulnerabilities
and the generation process to develop a risk assessment. Consider who, why
and how an attack might benefit from attacking the application.
Mission-critical and security-sensitive AI would likely require a more
secure approach to AI development. Furthermore, some applications may
further increase risk by utilising processes such as continual learning,
which prove additional attack vectors for attackers [27]. A real-world
example of this attack was the Microsoft Tay Twitter-trained bot in the
first few hours of deployment [65]. Moreover, whilst convenient, the reuse
of models (transfer learning/AI repurposing) and data increases the
opportunities for exploitation.
3. (3)
Maximise the model’s robustness—Maximising model robustness reduces the
attacking space available to prevent perturbation and adversarial examples.
The exploitation of model robustness is one of the simplest of attacks to
implement given the scalability of the attack (many models are not robust
against all possible adversarial space). It is also possible to use the
attack to cause a failure (sometimes not so obvious) of mission-critical
systems. Maximising the model’s robustness should also provide the
additional benefits of protecting against accidental adversarial
attacks/errors. Furthermore, the work of [27] also considers forcing model
architecture and capacity proportionate to training data to improve
robustness and reduce unnecessary feature space whilst covering the
distribution of training data.
4. (4)
Maximise explainability and insight for trusted developers and minimise for
untrusted users—Explainability should play a significant role in supporting
the development of adversarial AI defences in the coming years. Having
greater explainability provides many benefits, but in the context of
security, having a better understanding of the ML system’s decision
processes can support; locating poisoned models, the system limitations,
transferability, robustness, and trustworthiness to enhance the security of
the system. However, this knowledge could also be used to find and exploit
weaknesses, such as locating adversarial space. Therefore one should limit
the explainability outputted by the model to untrusted users as well as the
technical details of the model, e.g., parameter values and model
architecture.
5. (5)
Regulate the input and output of the model—This principle ties in with
revealing too much information about the model, which could be used for
nefarious activities against the model, e.g., one could avoid revealing
exact probabilities of detection for a classification model to prevent some
gradient-based attacks. Regulating the input of the model can prevent
adversarial queries from successfully triggering backdoors or exploiting the
model [27].
6. (6)
Recognise the exploitation of the model and understand the risks of
exploitation—Having indicators of compromise for the model will not stop
adversarial attacks from happening but could allow one to identify and
isolate threats. Understanding the effects of a compromised system will
allow one to understand the risks and develop effective tailored security
approaches in depth.
7. (7)
Sensor redundancy/harmonisation and data correlation—Utilising multiple
fused sensor inputs can be used to bring assurance to situational awareness
modules. For example, relying exclusively on a single sensor to deduce the
presence or absence of objects is likely to increase the ease of attack.
However, sensor fusion of the CV, LiDAR, forward-looking sonar, AIS, and
RADAR, all feeding into a navigational AI system, would increase the overall
robustness of the system. The requirement of fooling multiple sensors would
be exponentially more challenging to mount a successful attack than that of
a single sensor, and anomalous behaviour becomes more apparent if not all
sensors are fooled, which could lead to a lower confidence weighting
provided to data which significantly differs/appears adversarial from other
sensors’ results.
4.1.
COUNTERMEASURES
This section details possible countermeasures which could be used to implement
the six principles proposed above to protect MAS AI against AAI; these are
summarised in Table 2. We first consider adversarial training. Adversarial
training requires synthesising adversarial samples from a model and using those
adversarial samples as training data to train the model to produce an element of
model robustness against adversarial attacks [24, 48]. The samples can be
iteratively generated by retraining the model and regenerating adversarial
training data [66]. By creating new samples, we increase the distribution of the
dataset for the robustness and accuracy of the model. The first instance of
adversarial training was [24], which used FSGM to create and then inject samples
into the training data. Many variations and improvements of adversarial training
exist, such as using GANs [67–69]. DNN verification tools can be used to locate
adversarial samples [70]. It is worth noting to search all the sample space is
an NP-hard problem. The three-step null label method blocks the transferability
of attacks between models. The method adds a new null label to a one-hot
encoding, and the network is trained with some adversarial samples which are
labelled as null, therefore if the model input is classified highly as null,
this indicates an adversarial input [71] and reduces adversarial attacks
happening between models.
AAI AttackDefencesPerturbation AttackAdversarial training, Regularisation,
Ensemble methods,
Input validation and manipulation/preprocessing,
Gradient masking, Model distillation,
Adversarial sample detection, Explainability Poisoning AttackRegularisation,
Ensemble methods,
Input validation and manipulation/preprocessing,
Explainability Model InversionInput validation and manipulation/preprocessing,
Adversarial sample detection, Explainability,
Preventing information loss Membership InferenceInput validation and
manipulation/preprocessing,
Adversarial sample detection, Explainability,
Preventing information loss Model stealingPreventing information loss
Reprogramming the MLRegularisation, Ensemble methods,
Gradient masking, Model distillation,
Explainability, Preventing information loss Adversarial Example in Physical
DomainAdversarial training, Regularisation, Ensemble methods,
Input validation and manipulation/preprocessing,
Gradient masking, Model distillation,
Adversarial sample detection, Explainability ML Provider Recovering Training
DataRegularisation, Ensemble methods,
Input validation and manipulation/preprocessing,
Gradient masking, Model distillation, Explainability,
Preventing information loss Attacking the ML Supply ChainStrong conventional
cybersecurity practices Backdoor MLRegularisation, Ensemble methods,
Input validation and manipulation/preprocessing,
Model distillation, Explainability, Preventing Exploit Software
DependenciesStrong conventional cybersecurity practices
TABLE 2
The associated defensive countermeasures to prevent exploitation from each
adversarial attack. There is much overlap between the defences resulting in the
effect of the sum of multiple defensive measures being greater than its
individual constituents.
Further countermeasures include regularisation. Regularisation is used in ML to
prevent overfitting of a model during training (adding a penalty, i.e. regular
term, to a cost function); this can reduce the possible adversarial attack space
by making the model more robust to small perturbations. Methods of
regularisation include feature pruning to prune activations and neurons from a
network [72]. Neuron dropout can be used during model training to stochastically
remove neurons which can prevent overfitting on small datasets and potentially
remove a backdoor [73]. Other methods include adding a layer of random noise to
the model after the input layer so that during forward propagation, the noise
creates slightly different outcomes to make the model more robust against small
permutations [74].
Ensemble methods is a term used to represent the combination of multiple ML
models constituting an overall model. Common methods include using gradient
boosting such as XGBoost [75]. This method can reduce the likelihood of training
data poisoning as the individual models are trained on different datasets;
therefore, when combining the models, the good models can reduce the effect of
the poisoned models [76]. It is also possible that adversarial samples are fewer
with a greater distribution of training data.
Input validation (or sanitation) and manipulation/preprocessing, which can
control the data going into the model can help prevent attacks. Input
reconstruction can be used to remove the adversarial effect from input data
analogous to input sanitisations to prevent Structured Query Language (SQL)
attacks. Input reconstruction was suggested in the work of [77], which proposed
transforms applied to input images before making model predictions (clipping,
JPEG compression, rescaling depth, etc.). Feature compression/data compression,
as in ComCNN [78], can be used to reduce the feature depth of the input, e.g.,
reduce the colour depth of pixels and increase robustness at the cost of reduced
input accuracy. Inputs could also be filtered, smoothed, and have random noise
applied on input to sanitise the data. Regression analysis can be used to locate
data outliers during input [79]. Image preprocessing (such as random image
padding) can be used to prevent a backdoor attack from being triggered. Input
denoising works by attempting to remove noise from the input. Tools include
(high-level representation guided denoiser HGD [80]). GANs can be used to clean
data by recreating a similar image to the input. MagNet [81] and
defence-GAN [82] are tools that can also be used to recreate input images with
reduced adversarial noise on a more similar manifold to the benign data.
A countermeasure that would be useful against the perturbation attacks shown in
this paper, and others, is gradient masking. Gradient masking can reduce the
likelihood of an attacker acquiring the model’s gradient and hence reduce
against gradient-based adversarial attacks [83]. There is no reduction in the
adversarial sample size. However, this attack aims to make it more difficult for
open-box probing, by masking the useful gradient, at finding these samples. The
effect works by creating less smooth (sharper) boundaries for classification.
Gradient masking methods include model distillation and dropout.
Model distillation requires training a smaller, less complex model based on the
original complex model. This reduction/compression in model complexity, whilst
maintaining similar model accuracy, can help prevent adversarial attacks by
creating a model with smoother loss and hence less sensitive to small
perturbations [84]. The original output is used as a soft label, and the
original label is used as a hard label.
Adversarial sample detection can help protect MAS AI against adversarial AI via
input monitoring. Instead of sterilising the input, one could attempt to detect
if the input is an adversarial sample before being accepted or rejected by the
model. The input can then be determined as adversarial or benign before being
decided whether to be entered into the model. For example, these detection
models can be created as a binary classifier and determine if the input follows
a similar distribution to the training data [85].
Explainability covers a number of terms, such as trustworthiness, causality,
transferability, and informativeness which all support the understanding and
hence the security of the ML models. Explainability is a hot topic, and many
methods exist to support model explainability. Improving AI explainability is
critical as this sector develops AI for mission-critical operations.
Preventing information loss considers the threat of model stealing in a few
ways. To protect against data stealing, one could use PATE [86], which splits
the training data into subsets and trains multiple models on the subsets before
the models are combined, and the systems vote on the predicted outcome.
Watermarking can also be used to place a unique watermark in the model, which
can be evaluated to determine if it was stolen [87].
5.
CONCLUSION
This work has provided an evaluation of AI security in maritime autonomous
systems. A literature review revealed the potential vulnerabilities in MAS AI
that could be exposed through a set of adversarial AI test cases strategically
designed to test AI used in MAS operations. However, this study of the current
state-of-the-art MAS security has also highlighted the inherent vulnerabilities
of only testing adversarial AI in limited laboratory environments. Given the
extreme differences in marine environments based on location, weather, and time
of day, it is also clear that any AAI dataset must also be evaluated in a
real-world environment to be truly useful and cyber-resilient maritime AI. After
the evaluation of these results in situ, we developed a series of secure AI in
MAS principles which can be used to mitigate these threats across the AI’s
lifecycle.
In further work, we recognise the limited preparation and understating of AAI in
MAS technologies by developers, security professionals, and marine regulators.
Therefore, knowledge could be disseminated by the secure AI principles and AAI
employee training. We would also consider the evaluation of other attacks and
their associated defences in the maritime environment (in a range of
conditions); we would then consider the effects of underwater distortion etc.
Further, we aim to evaluate a range of real-world AI (existing commercial and
military AI systems) against AAI—this will allow one to gauge the secondary
effects of the attack too, e.g., if one interferes with the CV object detection,
how would that impact the collision avoidance module of a vessel? As well as
evaluate the effectiveness of AAI and defence in a complex and dynamic
environment. Furthermore, we would like to consider the probability of each
attack in a maritime autonomous environment with some attacks more effective and
likely than others in the real-world environment. As we see greater
accessibility of AI, we are also likely to see an increase in the misuse of AI
(e.g., AI to support clandestine/smuggling operations) as well an increase in
the exploitation of AI systems. The importance of the security of AI is
increasing with its use in mission-critical systems (e.g., we are seeing
increasing use of maritime autonomous systems by militaries [88, 89]). Whilst
many of these AAI attacks have not been utilised in the real world, as the
potential financial gain of these attacks increase and the increased use of AI
in mission-critical systems, adversaries will look to exploit these methods and
the requirement to prepare for the fast-evolving AAI threat landscape is today.
CONFLICT OF INTEREST
The authors declare no conflict of interest
6.
ACKNOWLEDGMENTS
This work was supported by the Turing’s Defence and Security programme through a
partnership with the UK government in accordance with the framework agreement
between GCHQ & The Alan Turing Institute. The authors would also like to thank
the University of Plymouth for their use of their autonomous fleet in order to
collect real world data.
REFERENCES
1. 1.
Felski A, Zwolak K. The ocean-going autonomous ship—challenges and threats.
J Mar Sci Eng. 2020;8(1):41.
2. 2.
Kretschmann L, Burmeister H-C, Jahn C. Analyzing the economic benefit of
unmanned autonomous ships: an exploratory cost-comparison between an
autonomous and a conventional bulk carrier. Res Transp Bus Manag. 2017;25:
76–86.
3. 3.
Morris D. Worlds first autonomous ship to launch in 2018. Fortune
[Internet]. 2017 [cited 2017 Jul 22]. Available from
https://fortune.com/2017/07/22/first-autonomous-ship-yara-birkeland/.
4. 4.
Munim ZH. Autonomous ships: a review, innovative applications and future
maritime business models. Supply Chain Forum: Int J. 2019;20: 266–279.
5. 5.
Porathe T, Prison J, Man Y. Situation awareness in remote control centres
for unmanned ships. In: Proceedings of Human Factors in Ship Design &
Operation, 26–27 February 2014, London, UK. Buckinghamshire, UK: CORE;
2014. 93 p.
6. 6.
Tsvetkova A, Hellström M. Creating value through autonomous shipping: an
ecosystem perspective. Marit Econ Logist. 2022;24: 255–277.
7. 7.
Ziajka-Poznańska E, Montewka J. Costs and benefits of autonomous shipping -
a literature review. Appl Sci. 2021;11(10):4553.
8. 8.
Royce R. Remote and autonomous ships. In: AAWA position paper. Oslo,
Norway: DNV; 2016.
9. 9.
Anderson M. Bon voyage for the autonomous ship mayflower. IEEE Spectr.
2019;57(1):36–39.
10. 10.
Caruana R, Lou Y, Gehrke J, Koch P, Sturm M, Elhadad N. Intelligible models
for healthcare: predicting pneumonia risk and hospital 30-day readmission.
In: Proceedings of the 21th ACM SIGKDD International Conference on
Knowledge Discovery and Data Mining. New York, USA: ACM; 2015.
p. 1721–1730.
11. 11.
Kong Z, Xue J, Wang Y, Huang L, Niu Z, Li F. A survey on adversarial attack
in the age of artificial intelligence. Wirel Commun Mob Comput. 2021;2021:
4907754.
12. 12.
Qiu S, Liu Q, Zhou S, Wu C. Review of artificial intelligence adversarial
attack and defense technologies. Appl Sci. 2019;9(5):909.
13. 13.
Kaluza P, Kölzsch A, Gastner MT, Blasius B. The complex network of global
cargo ship movements. J R Soc Interface. 2010;7(48):1093–1103.
14. 14.
Askari HR, Hossain MN. Towards utilising autonomous ships: a viable advance
in industry 4.0. J Int Marit Saf Environ Aff Shipp. 2022;6(1):39–49.
15. 15.
Fan C, Wróbel K, Montewka J, Gil M, Wan C, Zhang D. A framework to identify
factors influencing navigational risk for maritime autonomous surface
ships. Ocean Eng. 2020;202: 107188.
16. 16.
Thombre S, Zhao Z, Ramm-Schmidt H, García JMV, Malkamäki T, Nikolskiy S,
Sensors and AI techniques for situational awareness in autonomous ships: a
review. In: IEEE Transactions on Intelligent Transportation Systems.
Piscataway, NJ: IEEE; 2020.
17. 17.
Noel A, Shreyanka K, Gowtham K, Satya K. Autonomous ship navigation
methods: a review. In: International Conference on Marine Engineering and
Technology Oman 2019 (ICMET Oman) [Internet]; 2019 Nov 5–7; Muscat, Oman.
Military Technological College Oman; 2019. Available from
https://doi.org/10.24868/icmet.oman.2019.028.
18. 18.
Bentes C, Frost A, Velotto D, Tings B. Ship-iceberg discrimination with
convolutional neural networks in high resolution SAR images. In:
Proceedings of EUSAR 2016: 11th European Conference on Synthetic Aperture
Radar. Hamburg, Germany: VDE; 2016. p. 1–4.
19. 19.
Wang J, Xiao Y, Li T, Chen CLP. A survey of technologies for unmanned
merchant ships. IEEE Access. 2020;8: 224461–224486.
20. 20.
Kim H, Kim S-H, Jeon M, Kim JH, Song S, Paik K-J. A study on path
optimisation method of an unmanned surface vehicle under environmental
loads using genetic algorithm. Ocean Eng. 2017;142: 616–624.
21. 21.
Song CH. Global path planning method for USV system based on improved ant
colony algorithm. In: Applied mechanics and materials. vol. 568,
Switzerland: Trans Tech Publications; 2014. p. 785–788.
22. 22.
Zhang Y, Gong D-w, Zhang J-h. Robot path planning in uncertain environment
using multi-objective particle swarm optimisation. Neurocomputing.
2013;103: 172–185.
23. 23.
Arrieta AB, Díaz-Rodríguez N, Del Ser J, Bennetot A, Tabik S, Barbado A,
Explainable artificial intelligence (XAI): concepts, taxonomies,
opportunities and challenges toward responsible AI. Inf Fusion. 2020;58:
82–115.
24. 24.
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I,
Intriguing properties of neural networks [Internet]. arXiv; 2013. Available
from: https://arxiv.org/abs/1312.6199.
25. 25.
Mirsky Y, Demontis A, Kotak J, Shankar R, Gelei D, Yang L, The threat of
offensive AI to organizations. Comput Secur. 2022;124: 103006.
26. 26.
Caroline B, Christian B, Stephan B, Luis B, Giuseppe D, Damiani E, Securing
machine learning algorithms. Athens, Greece: ENISA; 2021.
27. 27.
Kate S. Introducing our new machine learning security principles. Boca
Raton, FL: CRC Press; 2022.
28. 28.
Seymour J, Tully P. Weaponizing data science for social engineering:
automated E2E spear phishing on twitter. Black Hat USA. 2016;37: 1–39.
29. 29.
Dang H, Liu F, Stehouwer J, Liu X, Jain AK. On the detection of digital
face manipulation. In: Proceedings of the IEEE/CVF Conference on Computer
Vision and Pattern Recognition. Seattle, WA, USA: IEEE; 2020. p. 5781–5790.
30. 30.
Akhtar N, Mian A. Threat of adversarial attacks on deep learning in
computer vision: a survey. IEEE Access. 2018;6: 14410–14430.
31. 31.
Elsayed G, Shankar S, Cheung B, Papernot N, Kurakin A, Goodfellow I,
Adversarial examples that fool both computer vision and time-limited
humans. In: 32nd Conference on Neural Information Processing Systems
(NeurIPS 2018), Montréal, Canada. Red Hook, NY: Curran Associates Inc.;
2018. 31 p.
32. 32.
Wang Z, She Q, Ward TE. Generative adversarial networks in computer vision:
a survey and taxonomy. ACM Comput Surv (CSUR). 2021;54(2):1–38.
33. 33.
Al-Dujaili A, Huang A, Hemberg E, OReilly U-M. Adversarial deep learning
for robust detection of binary encoded malware. In: 2018 IEEE Security and
Privacy Workshops (SPW). San Francisco, USA: IEEE; 2018. p. 76–82.
34. 34.
Kolosnjaji B, Demontis A, Biggio B, Maiorca D, Giacinto G, Eckert C,
Adversarial malware binaries: evading deep learning for malware detection
in executables. In: 2018 26th European Signal Processing Conference
(EUSIPCO). San Francisco, USA: IEEE; 2018. p. 533–537.
35. 35.
Li D, Li Q, Ye Y, Xu S. Arms race in adversarial malware detection: a
survey. ACM Comput Surv (CSUR). 2021;55(1):1–35.
36. 36.
Maiorca D, Biggio B, Giacinto G. Towards adversarial malware detection:
lessons learned from pdf-based attacks. ACM Comput Surv (CSUR).
2019;52(4):1–36.
37. 37.
Morris JX, Lifland E, Yoo JY, Grigsby J, Jin D, Qi Y. Textattack: a
framework for adversarial attacks, data augmentation, and adversarial
training in NLP [Internet]. arXiv; 2020. Available from:
https://arxiv.org/abs/2005.05909.
38. 38.
Wallace E, Feng S, Kandpal N, Gardner M, Singh S. Universal adversarial
triggers for attacking and analyzing NLP [Internet]. arXiv; 2019. Available
from: https://arxiv.org/abs/1908.07125.
39. 39.
Juuti M, Szyller S, Marchal S, Asokan N. PRADA: protecting against DNN
model stealing attacks. In: 2019 IEEE European Symposium on Security and
Privacy (EuroS&P). Stockholm, Sweden: IEEE; 2019. p. 512–527.
40. 40.
Wang B, Gong NZ. Stealing hyperparameters in machine learning. In: 2018
IEEE Symposium on Security and Privacy (SP). San Francisco, USA: IEEE;
2018. p. 36–52.
41. 41.
Kessler J. Data protection in the wake of the GDPR: California’s solution
for protecting “the world’s most valuable resource”. South Calif Law Rev.
2019;93: 99.
42. 42.
Sewak M, Sahay SK, Rathore H. Adversarialuscator: an adversarial-DRL based
obfuscator and metamorphic malware swarm generator. In: 2021 International
Joint Conference on Neural Networks (IJCNN). Piscataway, NJ: IEEE; 2021.
p. 1–9.
43. 43.
Gu T, Dolan-Gavitt B, Garg S. Badnets: identifying vulnerabilities in the
machine learning model supply chain [Internet]. arXiv; 2017. Available
from: https://arxiv.org/abs/1708.06733.
44. 44.
Barreno M, Nelson B, Sears R, Joseph AD, Tygar JD. Can machine learning be
secure? In: Proceedings of the 2006 ACM Symposium on Information, Computer
and Communications Security. New York, USA: ACM; 2006. p. 16–25.
45. 45.
Biggio B, Nelson B, Laskov P. Support vector machines under adversarial
label noise. In: Asian Conference on Machine Learning. Cambridge, MA: PMLR;
2011. p. 97–112.
46. 46.
Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit
confidence information and basic countermeasures. In: Proceedings of the
22nd ACM SIGSAC Conference on Computer and Communications Security. New
York: ACM; 2015. p. 1322–1333.
47. 47.
Orekondy T, Schiele B, Fritz M. Knockoff nets: stealing functionality of
black-box models. In: Proceedings of the IEEE/CVF Conference on Computer
Vision and Pattern Recognition. Piscataway, NJ: IEEE; 2019. p. 4954–4963.
48. 48.
Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial
examples [Internet]. arXiv; 2014. Available from:
https://arxiv.org/abs/1412.6572.
49. 49.
Su J, Vargas DV, Sakurai K. One pixel attack for fooling deep neural
networks. IEEE Trans Evol Comput. 2019;23(5):828–841.
50. 50.
Kurakin A, Goodfellow I, Bengio S. Adversarial machine learning at scale
[Internet]. arXiv; 2016. Available from: https://arxiv.org/abs/1611.01236.
51. 51.
Moosavi-Dezfooli S-M, Fawzi A, Frossard P. Deepfool: a simple and accurate
method to fool deep neural networks. In: Proceedings of the IEEE Conference
on Computer Vision and Pattern Recognition. Las Vegas, NV, USA: IEEE; 2016.
p. 2574–2582.
52. 52.
Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The
limitations of deep learning in adversarial settings. In: IEEE European
Symposium on Security and Privacy (EuroS&P). Piscataway, NJ: IEEE; 2016.
p. 372–387.
53. 53.
Chen J, Su M, Shen S, Xiong H, Zheng H. Poba-ga: perturbation optimized
black-box adversarial attacks via genetic algorithm. Comput Secur. 2019;85:
89–106.
54. 54.
Xiao C, Li B, Zhu J-Y, He W, Liu M, Song D. Generating adversarial examples
with adversarial networks [Internet]. arXiv; 2018. Available from:
https://arxiv.org/abs/1801.02610.
55. 55.
Brown TB, Mané D, Roy A, Abadi M, Gilmer J. Adversarial patch [Internet].
arXiv; 2017. Available from: https://arxiv.org/abs/1712.09665.
56. 56.
Lee M, Kolter Z. On physical adversarial patches for object detection
[Internet]. arXiv; 2019. Available from: https://arxiv.org/abs/1906.11897.
57. 57.
Liu X, Yang H, Liu Z, Song L, Li H, Chen Y. Dpatch: an adversarial patch
attack on object detectors [Internet]. arXiv; 2018. Available from:
https://arxiv.org/abs/1806.02299.
58. 58.
Song D, Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Physical
adversarial examples for object detectors. In: 12th USENIX Workshop on
Offensive Technologies (WOOT 18). Berkeley, CA, USA: USENIX; 2018.
59. 59.
Wu H, Yunas S, Rowlands S, Ruan W, Wahlstrom J. Adversarial detection:
attacking object detection in real time [Internet]. arXiv; 2022. Available
from: https://arxiv.org/abs/2209.01962.
60. 60.
Yang C, Kortylewski A, Xie C, Cao Y, Yuille A. Patchattack: a black-box
texture-based attack with reinforcement learning. In: Computer Vision–ECCV
2020: 16th European Conference, Glasgow, UK, August 23–28, 2020,
Proceedings, Part XXVI. Berlin: Springer; 2020. p. 681–698.
61. 61.
Hoory S, Shapira T, Shabtai A, Elovici Y. Dynamic adversarial patch for
evading object detection models [Internet]. arXiv; 2020. Available from:
https://arxiv.org/abs/2010.13070.
62. 62.
Liang H, He E, Zhao Y, Jia Z, Li H. Adversarial attack and defense: a
survey. Electronics. 2022;11(8):1283.
63. 63.
Yoo J-W, Jo Y-H, Cha Y-K. Artificial intelligence for autonomous ship:
potential cyber threats and security. J Korea Inst Inf Secur Cryptol.
2022;32(2):447–463.
64. 64.
Kumar RSS, Brien DO, Albert K, Viljöen S, Snover J. Failure modes in
machine learning systems [Internet]. arXiv; 2019. Available from:
https://arxiv.org/abs/1911.11034.
65. 65.
Wolf MJ, Miller K, Grodzinsky FS. Why we should have seen that coming:
comments on microsoft’s tay “experiment”, and wider implications. ACM
SIGCAS Comput Soc. 2017;47(3):54–64.
66. 66.
Kim S, Kim H. Zero-centered fixed-point quantization with iterative
retraining for deep convolutional neural network-based object detectors.
IEEE Access. 2021;9: 20828–20839.
67. 67.
Kannan H, Kurakin A, Goodfellow I. Adversarial logit pairing [Internet].
arXiv; 2018. Available from: https://arxiv.org/abs/1803.06373.
68. 68.
Lee H, Han S, Lee J. Generative adversarial trainer: defense to adversarial
perturbations with gan [Internet]. arXiv; 2017. Available from:
https://arxiv.org/abs/1705.03387.
69. 69.
Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning
models resistant to adversarial attacks [Internet]. arXiv; 2017. Available
from: https://arxiv.org/abs/1706.06083.
70. 70.
Qian YG, Zhang XM, Wang B, Li W, Chen JH, Zhou WJ, Towards robust DNNs: a
Taylor expansion-based method for generating powerful adversarial examples
[Internet]. arXiv; 2020. Available from:. https://arxiv.org/abs/2001.08389.
71. 71.
Hosseini H, Chen Y, Kannan S, Zhang B, Poovendran R. Blocking
transferability of adversarial examples in black-box learning systems
[Internet]. arXiv; 2017. Available from: https://arxiv.org/abs/1703.04318.
72. 72.
Dhillon GS, Azizzadenesheli K, Lipton ZC, Bernstein J, Kossaifi J, Khanna
A, Stochastic activation pruning for robust adversarial defense [Internet].
arXiv; 2018. Available from: https://arxiv.org/abs/1803.01442.
73. 73.
Liu K, Dolan-Gavitt B, Garg S. Fine-pruning: defending against backdooring
attacks on deep neural networks. In: Research in Attacks, Intrusions, and
Defenses: 21st International Symposium, RAID 2018, Proceedings 21; 2018
Sep 10–12; Heraklion, Crete, Greece. Cham: Springer; 2018. p. 273–294.
74. 74.
Liu X, Cheng M, Zhang H, Hsieh C-J. Towards robust neural networks via
random self-ensemble. In: Proceedings of the European Conference on
Computer Vision (ECCV). Cham: Springer; 2018. p. 369–385.
75. 75.
Chen T, He T, Benesty M, Khotilovich V, Tang Y, Cho H. 2015. Xgboost:
extreme gradient boosting, R package version 0.4-2. 1–4.
76. 76.
Li D, Li Q. Adversarial deep ensemble: evasion attacks and defenses for
malware detection. IEEE Trans Inf Forensics Secur. 2020;15: 3886–3900.
77. 77.
Guo C, Rana M, Cisse M, Van Der Maaten L. Countering adversarial images
using input transformations [Internet]. arXiv; 2017. Available from:
https://arxiv.org/abs/1711.00117.
78. 78.
Jia X, Wei X, Cao X, Foroosh H. ComDefend: an efficient image compression
model to defend adversarial examples. In: Proceedings of the IEEE/CVF
Conference on Computer Vision and Pattern Recognition. Long Beach, CA, USA:
IEEE; 2019. p. 6084–6092.
79. 79.
Jagielski M, Oprea A, Biggio B, Liu C, Nita-Rotaru C, Li B. Manipulating
machine learning: poisoning attacks and countermeasures for regression
learning. In: 2018 IEEE Symposium on Security and Privacy (SP). Piscataway,
NJ: IEEE; 2018. p. 19–35.
80. 80.
Liao F, Liang M, Dong Y, Pang T, Hu X, Zhu J. Defense against adversarial
attacks using high-level representation guided denoiser. In: Proceedings of
the IEEE Conference on Computer Vision and Pattern Recognition. Bellingham,
WA: SPIE; 2018. p. 1778–1787.
81. 81.
Meng D, Chen H. Magnet: a two-pronged defense against adversarial examples.
In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security. New York, USA: ACM; 2017. p. 135–147.
82. 82.
Samangouei P, Kabkab M, Chellappa R. Defense-gan: protecting classifiers
against adversarial attacks using generative models [Internet]. arXiv;
2018. Available from: https://arxiv.org/abs/1805.06605.
83. 83.
Folz J, Palacio S, Hees J, Dengel A. Adversarial defense based on
structure-to-signal autoencoders. In: 2020 IEEE Winter Conference on
Applications of Computer Vision (WACV). Piscataway, NJ: IEEE; 2020.
p. 3568–3577.
84. 84.
Papernot N, McDaniel P, Wu X, Jha S, Swami A. Distillation as a defense to
adversarial perturbations against deep neural networks. In: 2016 IEEE
Symposium on Security and Privacy (SP). Piscataway, NJ: IEEE; 2016.
p. 582–597.
85. 85.
Tanay T, Griffin L. A boundary tilting persepective on the phenomenon of
adversarial examples [Internet]. arXiv; 2016. Available from:
https://arxiv.org/abs/1608.07690.
86. 86.
Papernot N, Abadi M, Erlingsson U, Goodfellow I, Talwar K. Semi-supervised
knowledge transfer for deep learning from private training data [Internet].
arXiv; 2016. Available from: https://arxiv.org/abs/1610.05755.
87. 87.
Adi Y, Baum C, Cisse M, Pinkas B, Keshet J. Turning your weakness into a
strength: watermarking deep neural networks by backdooring. In: 27th
{USENIX} Security Symposium ({USENIX} Security 18). Berkeley, CA, USA:
USENIX; 2018. p. 1615–1631.
88. 88.
Hall A. Autonomous minehunter to trial uncrewed operations in the gulf.
Navy News [Internet]; 2023 [cited 2023 Feb 13]. Available from:
https://www.royalnavy.mod.uk/news-and-latest-activity/news/2023/february/13/20230213-autonomous-minehunter-to-trial-uncrewed-operations-in-the-gulf.
89. 89.
Hall A. Dstl and DASA research underpins royal navy maritime autonomy. Navy
News [Internet]; 2023 [cited 2023 Jan 26]. Available from:
https://www.gov.uk/government/news/dstl-and-dasa-research-underpins-royal-navy-maritime-autonomy.
--------------------------------------------------------------------------------
Written by
MATHEW J WALTER, AARON BARRETT, DAVID J WALKER AND KIMBERLY TAM
Article Type: Research Paper
•
Date of acceptance: March 2023
Date of publication: April 2023
•
DOI: 10.5772/acrt.15
Copyright: The Author(s), Licensee IntechOpen, License: CC BY 4.0
Download for free
Cite
© The Author(s) 2023. Licensee IntechOpen. This is an Open Access article
distributed under the terms of the Creative Commons Attribution License
(https://creativecommons.org/licenses/by/4.0/), which permits unrestricted
reuse, distribution, and reproduction in any medium, provided the original work
is properly cited.
--------------------------------------------------------------------------------
Impact of this article
254
Downloads
764
Views
1
Dimensions Citations
3
Altmetric Score
--------------------------------------------------------------------------------
Share this article
Join us today!
Submit your Article
HomeNewsContactCareersClimate Change Hub
AboutOur Authors and EditorsScientific AdvisorsTeamEventsAdvertisingPartnerships
PublishAbout Open AccessHow it worksOA Publishing FeesOpen Access fundingPeer
ReviewingEditorial Policies
Headquarters
IntechOpen Limited
5 Princes Gate Court,
London, SW7 2QJ,
UNITED KINGDOM
Phone: +44 20 8089 5702
Author Panel Sign in
* Terms and Conditions
* Privacy Policy
* Customer Complaints
© 2022 IntechOpen. All rights reserved.