• <tr id="yyy80"></tr>
  • <sup id="yyy80"></sup>
  • <tfoot id="yyy80"><noscript id="yyy80"></noscript></tfoot>
  • 99热精品在线国产_美女午夜性视频免费_国产精品国产高清国产av_av欧美777_自拍偷自拍亚洲精品老妇_亚洲熟女精品中文字幕_www日本黄色视频网_国产精品野战在线观看 ?

    An Improved Optimized Model for Invisible Backdoor Attack Creation Using Steganography

    2022-08-24 12:56:18DaniyalAlghazzawiOsamaBassamRabieSurbhiBhatiaandSyedHamidHasan
    Computers Materials&Continua 2022年7期

    Daniyal M.Alghazzawi, Osama Bassam J.Rabie, Surbhi Bhatiaand Syed Hamid Hasan,*

    1Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah, 21589,Saudi Arabia

    2Department of Information Systems, College of Computer Sciences and Information Technology, King Faisal University,Saudi Arabia

    Abstract: The Deep Neural Networks (DNN) training process is widely affected by backdoor attacks.The backdoor attack is excellent at concealing its identity in the DNN by performing well on regular samples and displaying malicious behavior with data poisoning triggers.The state-of-art backdoor attacks mainly follow a certain assumption that the trigger is sample-agnostic and different poisoned samples use the same trigger.To overcome this problem, in this work we are creating a backdoor attack to check their strength to withstand complex defense strategies, and in order to achieve this objective,we are developing an improved Convolutional Neural Network (ICNN)model optimized using a Gradient-based Optimization (GBO)(ICNN-GBO)algorithm.In the ICNN-GBO model, we are injecting the triggers via a steganography and regularization technique.We are generating triggers using a single-pixel, irregular shape, and different sizes.The performance of the proposed methodology is evaluated using different performance metrics such as Attack success rate, stealthiness, pollution index, anomaly index, entropy index, and functionality.When the CNN-GBO model is trained with the poisoned dataset, it will map the malicious code to the target label.The proposed scheme’s effectiveness is verified by the experiments conducted on both the benchmark datasets namely CIDAR-10 and MSCELEB 1M dataset.The results demonstrate that the proposed methodology offers significant defense against the conventional backdoor attack detection frameworks such as STRIP and Neutral cleanse.

    Keywords: Convolutional neural network; gradient-based optimization;steganography; backdoor attack; and regularization attack

    1 Introduction

    Digital communication is the most preferred and promising way of communication made in this smart world.There are various Digital Media available to transmit information from one person to another via varying types of channels.Moreover, this also increases security issues due to the possibility of copying and transmitting the data illegally [1].Besides, illegal hackers can transmit the information without any loss and quality.This becomes a daunting issue to the authentication, security, and copyright contents.Hence it is necessary to protect the information during communication.Following this many works have been carried out to safeguard the information.One of the most widely used protection techniques is Cryptography which utilizes some secrecy methods to encrypt and decrypt the information [2-4].The sender uses ciphertext to protect the messages however this can be easily noticeable.Hence the researchers used several techniques to maintain the secrecy.The secrecy of the information can be sustained by using steganography [5].The hidden secret data is then extracted by the authorized user at the destination [6].

    To conceal all types of digital contents (text, video, image, audio, etc.,) modern image processing techniques use steganography [7].Using steganography, the last bit of each image is kept hidden and the modification of the last bit of the pixel value would not make any changes in visual perception [8,9].

    To embed data using steganography many techniques have been used and all follow their own numerical methods.Therefore, to make an attack is an arduous process.Most of the works conducted are based on the secret key of sizes 8bit,16-bit,and20bits.Due to the advancement of the technology,those provide a low-security scheme for the applications, and therefore the secret key size of more than 64 bits has been used nowadays.The training of CNN based approach faces some daunting issues due to the Backdoor attacks.This attack sometimes poisons the samples of training images visibly or invisibly.Moreover, this attack can be carried out by following some specified patterns in the poisoned image and replace them with respective pre-determined target labels.Based on this, attackers make invisible backdoors to the trained model and the attacked model behaved naturally.Hence it is arduous to predict the attack by the human.Since the attack is the best form of defense.In this paper,we are presenting an ICNN-GBOmodel to conduct a backdoor attack via an image towards a specified target.The major contributions in this work are presented as follows:

    ?The GBO algorithm provides a dual-level optimization to the ICNN architecture by minimizing the attackers’loss function and enhancing the success rate of the backdoor attack.

    ?Two types of triggers are created in this work and in the first trigger, a steganography-based technique is used to alter the Least Significant Bit (LSB) of the image to enhance its invisibility and the regularization-based trigger is created using an optimization process.

    ?The effectiveness of the proposed methodology is evaluated with two baseline datasets in terms of different performance metrics such as stealthiness, functionality, attack success rate,anomaly index, and entropy index.

    The remainder of the work is organized as follows.Section 2 presents the literature review and the preliminaries involved in this work is presented in Section 3.Section 4 provides the proposed methodology in detail and Section 6 demonstrates the extensive experiments conducted using baseline datasets to evaluate the effectiveness of the proposed technique.Section 6 concludes this article.

    2 Literature Survey

    The backdoor attack is a trendy and most discussed research area nowadays.This type of attack is the most threatening problem while training the deep learning approaches.The training data are triggered by using backdoor attacks and provide inaccurate detection.There are two types of backdoor attacks (i) visible attack, (ii) invisible attack.Li et al.[10] presented novel covert and scattered triggers to attack the backdoors.The scattered triggers can easily make fool of both the DNN and humans from the inspection.The triggers are embedded into the DNN with the inclusion of the first model Badnets via a steganography approach.Secondly, the Trojan attacks can be made with the augmented regularization terms which create the triggers.The performances of the attacks are analyzed by the Attack success rate and functionality.Using the definition of perceptual adversarial similarity score(PASS) and learned perceptual image patch similarity (LPIPS) the authors measure the invisibility of human perception.However, the attacks against the robust models are difficult to make.

    Li et al.[11] proposed sample-specific invisible additive noises (SSIAN) as backdoor triggers in DNN based image steganography.The triggers were produced by encoding an attack-specified string into benign images via an encoder and decoder network.Li et al.[12] delineated a deep learning-based reverse engineering approach to accomplish the highly effective backdoor attack.The attack is made by injecting malicious payload hence this method is known as neural payload injection (NPI) based backdoor attack.The triggered rate of NPI is almost 93.4% with a 2ms latency overhead.

    The invisible backdoor attack was introduced by Xue et al.[13].They embedded the backdoor attacks along with facial attributes and the method is known as Backdoor Hidden in Facial features(BHFF).Masks are generated with facial features such as eyebrows and beard and then the backdoors are injected into it and thus provide visual stealthiness.In order to make the backdoors look natural,they introduced the Backdoor Hidden in Facial features naturally (BHFFN) approach which encloses the artificial intelligence and achieved better visual stealthiness and Hash similarity score of about 98.20%.

    Barni et al.[14] proposed a novel backdoor attack that triggers only the samples of the target class and without the inclusion of label poisoning.Thus this method ensures the possibility of backdoor attacks without label poisoning.Nguyen et al.[15] presented a novel warping-based trigger.This can be achieved by the presented novel training method known as noise mode.Henceforth the attack is possible in trained networks and the presented attack is a type of visible backdoor attack.

    Tian et al.[16] stated a novel poisoning MorphNet attack method to trigger the data in the cloud platform.By using a clean-label backdoor attack, some of the poisoned samples are injected into the training set.

    The Sophos identifies a new malicious web page for a time interval of 14 s.Based on the Ponemons 2018 state of endpoint security risk report [17], more than 60% of IT experts conveyed that the frequency of attacks has gone very high from the past 12 months.52% of participants say that not every attack can be stopped.The antivirus software is only capable of blocking 43% of attacks and 64% of the participants informed that their organizations have faced more than one endpoint attack that results in a data breach.Hence, these problems can be solved only when we aim from the attacker’s perspective.In this paper, a novel ICNN-GBOmodel is proposed to conduct an attack that is concealed within an image and embattled towards a specific target by conducting an attack against a specific target.The attack can be only evident to the specified target for which it was designed.Researchers have focused their attention on stealthy attacks rather than direct attacks because these attacks are hard to identify.In stealthy attacks, the attacker waits for the victim to visit the malicious site with the help of the internet.The attack created is mainly designed to breach the integrity of the system but also provide normal functionality to the users.

    The backdoor attack [10,11] is mainly related to the adversarial attack and data poisoning.The backdoor attack avails the higher learning ability of the DNN towards the non-robust features.In the training stage, both the data poisoning and backdoor attacks possess certain similarities.Both attacks control the DNN by injecting poisoning samples.However, the goals of both attacks differ in different perspectives.In this work, initially, an image steganography technique is used to inject the trigger in a Bit Level Space (BLS), and in the next phase, a regularization technique is used to inject the trigger and make it undetectable by humans.The performance of the proposed model is evaluated using different backdoor attack performance metrics and their invisibility to humans and intrusion detection software.

    In the threat model [18], we are developing a backdoor attack for the incorrect image classification task.The backdoor attackers can only poison the training data and cannot alter the inference data since they don’t have any additional information regarding the additional settings such as network structure or training schedule.

    3 Backdoor Attack Formation

    An image agnostic poisoning dataset Em=is created for the triggermwith aone-to-one mappingo′=f(o,m) whereo′is marked as the target labelk.The poisoning training datasetis used to retrain the ICNN-GBO modelband thedataset is used to estimate the success rate of the backdoor attack.The functionfis utilized to apply the trigger in the input which results in the poisoning data pointo′.

    The GBO algorithm takes the backdoor attack problem as a dual-level optimization problem which is framed in Eq.(1).The initial optimization (minloss) optimizes the attacker’s loss function and improves the success rate of the backdoor attack without deteriorating the normal data accuracy.The ICNN-GBO model’s retraining optimization is the second objective, in which the model learns the backdoor attack via the poisoning training data.

    The untainted validations set size is represented asm,cxis the training sample, andis the actual dataset.The poisoning validation set is taken asp.The termf(o,t) becomes an image agnostic when the trigger patterntis applied to any imageo.The loss functionl(ox,cx,b*),(ox,cx)∈Ecan be both an appropriate loss or cross-entropy function.The terml(oy,k,b*) strengthens the CNN-GBO modelb*to accurately identify both the trigger pattern (t) and target label output (k).

    The first objective satisfies the normal user functionality whereas the second objective satisfies the success rate of the attacker in poisoning the data.For the parametersb*of the backdoor attack classifier, the objective function is based onf(o,t).This implies that the attacker is capable of inserting only a minimal amount of poisoning samples in the training set.In this way, the attacker solves the optimization problem by injecting a set of poisoned data points in the training data.

    4 Proposed CNN-GBO Model for Backdoor Attack Execution

    In conventional backdoor attacks, thefmapping mainly implies the function that adds the trigger directly to the images.The trigger pattern comes in different shapes and sizes.In our first backdoor attack, we are using steganography to enhance the invisibility by altering the Least Significant bit(LSB) of the image to inject the trigger via poisoning the training dataset.In the regularizationbased backdoor attack framework, the triggers are generated via an optimization process and not in any artificial manner.To make the size and shape of the trigger patterns we are usingLpnorm regularization.This process is very similar to the perturbations used in the adversarial examples.The trigger generated by theLpnorm can modify specific neurons.The steganography-based attack is conducted when the adversary chooses a predefined trigger.If the adversary doesn’t hesitate to use any size or shape of a trigger, it selects theLpnorm regularization attack.In steganography-based attacks, the triggers are manually created and hidden in the cover images.In the regularization-based attacks, three types ofLpnorm are utilized using the values 0, 2, and∞.In this way, the distribution is scattered and the visibility of the target is reduced.The overall architecture of the proposed framework is presented in Fig.1.

    Figure 1: Overall architecture of the proposed framework

    4.1 Generating Triggers Using Steganography

    The Least Significant Bit is altered in the image to inject the trigger into the images.It is the most easier way to hide the trigger data without any noticeable differences.The LSB of the image is replaced with the data that needs to be hidden.The trigger and cover image are converted into binary in this step.The ASCII code of each character present in the text trigger is transformed into an 8-bit binary string.The LSB of each pixel is altered using the trigger.If the binary secret IMAGE size exceeds A*B*C (channel, weight, and height).In this case, the next right most LSB of the cover image is altered from the initial step to the sequential process to alter every pixel with trigger bits.If the size of the binary trigger is larger than the cover image, the binary trigger length is iterated several times.Hence the trigger size has an increased effect on the attack’s success rate.

    The DNN finds it hard to identify the trigger when the length of the text is small enough.The trigger features can be easily captured when the size of the trigger is large.Hence a balance needs to be achieved between the invisibility and attack success rate.We are using the text as a trigger to supply sufficient information to inject into the cover image.Tab.1 provides the trade of achieved between the attack success rate and trigger.When the size of the trigger is increased a lot of bits are altered in the cover images which minimizes the invisibility.However, the increase in the size of the trigger is increased, the DNN easily captures the bit level features improving the attack success rate.The increase in trigger size also reduces the number of epochs to retrain the attack model to learn the bitlevel features.For a trigger size of 200, we need a total of 300 epochs to converge.For a trigger size of 600, the model converges with just 11 epochs.Hence the backdoor attack can be easily injected via steganography into the DNN models with the help of the larger triggers.

    Table 1: Interrelationship between the attack success rate and invisibility

    A baseline modelbis built initially as the target model and the poisoning dataset is created using the LSB algorithm.The source class images which is used as a sample for cover images should be entirely different from the target class.For trigger is injected into the cover images from the source class for poisoning the dataset.Except for the target class, this class is one class of the original training set.The selected images are given a specific target labelk.At the end of this step, we get a poisoning image set (o′,k)∈.In the next step, we integrate the actual clean training set with the poisoning dataset to form our new training dataset.

    The bit-level features are encoded into the DNN model by retraining the baseline modelbvia the novel dataset created.After we have created the new backdoor modelb*, the two validation sets can be built from the initial validation set Eval.The Evalis mainly used to compute the functionality performance metric.To design a poisoning dataset, we poison every image present in the source class in the actual validation dataset.With the help of the, we are measuring the attack success rate.

    4.2 Regularization Based Trigger Generation

    Most of the Trojan Backdoor attacks are employed by using triggers that are created.The triggers that are created are more perceived by human eyes than the triggers that are used in BadNets.Our proposed approach follows the optimization process to create the trigger β*by utilizing arbitrary Gaussian noise β0.While performing the optimization process, the noise is adjusted so that the neuron activations are amplified asG(β)[I] by deteriorating the Lpnorm of the noise.HereIis used to denote the positions that are to be amplified.The optimal noise ψ can be accomplished with the achievement of Lpnorm by the optimization process.The threshold Lpnorm is very small and hence it is arduous to predict the noise by humans.Even though the threshold value is set to halt the optimization process,it also generates the trade-off between the invisibility of the attack and the Attacks’Success rate.If the threshold value is high, it will activate the anchor neuron effectively and it can be easily perceived by the human eyes.Meanwhile, a smaller threshold value means it is arduous to inject the Backdoor into the CNN.For the L2attack, we have set as the value ranges from 1 to 10 and for the L0attack the value must be 1 to 5.ForL∞the value ranges from 0.11 to 0.15.The rest of the optimization utilizes this obtained noise as the backdoor trigger.It can be expressed as,

    Here, the scale factor is denoted as c and the pre-trained modelhcan be activated by neurons on the input noise β.ψ,η are the parameters used to weight and also estimates the losses in our method that is loss function.The threshold value of the input noise β can be increased by performing scaling neuron activations.However, the reduction of threshold value leads to arduous to make neuron activation.Hence to overcome these issues we are focus to make the scaling of neuron activation in a particular location in order to access the target values easily.By revising the gradient value of the input noise β will be varied and makes theLpincrease continuously.Secondly, the optimization is used to make the triggers not to predicted by reducing theLp-norm.To analyze the local optimum, we have adopted the Coordinate Greedy (iterative improvement) in the second attack.

    Henceforth, the first term of the loss function can be optimized along with the small value of η and performed neuron activation until the threshold value and beyond.The second term of Eq.(3) is called a regularization term and can be predetermined along with a small value of weight i.e.,η= 1.

    4.2.1 Evaluating the Anchor Locations

    The next issue is that to set the neuron locationIin the networks to be amplified.To achieve the neuron activation, we first want to select the penultimate layer as the target layer.After that, the location of the anchor is selected in the targeted layer.The penultimate layer is in the shape of [bι,N]and can be used for multiclass classification.Here,bι shows the size of the batch, and N is the hidden units in the penultimate layer.Following this is a fully linked layer with a weight matrix of shape[N,Nι] andNιis the number of class labels used.The classification output of each class is obtained by utilizing the softmax layer after the fully connected layer.Hence we exploit ResNet-18 as the network architecture and it uses the ReLU activation function to activate the neuron of each residual block.Therefore, with the support of the estimated weight of the fully connected layer,ω the location of the anchor can be evaluated.

    The activation factor of the penultimate layer is given asGp; the target label is indicated as t; The tthcolumn vector of the fully connected weight ω can be given as ω[:,t].Mostly to achieve the efficacy of selecting the anchor locations the descending order of ω[:,t] will be selected.

    4.2.2 Performing Optimization Based on K2 Regularization

    The scaling of activation of the anchor locations is performed after the completion of selecting theanchor location.It is conducted via the objective that has been determined in Eq.(3).The performance can be analyzed by deeming the three types of threshold (Lp-norm ) regularization i.e., L2, L0, andL∞.The first regularization begins with arbitrary Gaussian noise β0and ends with local optimal perturbation β*.

    4.2.3 Performing Optimization Based on K0 Regularization

    The optimization based on L0regularization on Eq.(3) faces two issues such as (i) selecting the locations that can be utilized for optimization (ii) selecting the number of locations in the image that are to be optimized.The former can be overcome by employing Saliency Map [19].This map records the priority of each location from the input image and thus circumvents the problem.The later one produces the tradeoff between the efficacy of training the trigger and invisibility and most promptly it ended with the result of predictable by the human eyes.

    The Saliency Map can be constructed by using the iterative algorithm and at the end of each iteration, the inactive pixels are identified.Then the pixels are fixed by using the Saliency map which means the values of the fixed pixels remain constant throughout the process.The number of fixed pixels increases with the number of iterations and halt the process when we acquire the required locations for optimization.Also, the detection of a minimal subset of pixels is made to create an optimal trigger by modifying their values.The steps involved in the iterative optimization algorithm are shown in Algorithm 1.

    Algorithm 1: Pseudocode for the Saliency Map Generation Initialize the input Gaussian β0, Saliency Map Mask {1}, Let the shape be ω×H,Target activation value ι= c * Gp(β0)[anchor]The minimal pixels number is defined as T The trigger L2can be generated with T0.Output: Saliency Map mask, Optimal pattern β*Begin For each iteration i do β=β0 For (0<j<T0) do f(β) =ι- Gp(β)[anchor]β=β- lr * mask *Δβf(β)End α=β-β0 a =Δβf(β)j = argminjαj.aj Mask [j]=0 β0= Bin(β)clipping thevalue to [0,255]If i>(ω* H - T) then break;end β*=β Return β*, mask end

    The estimation of loss function f is carried for each iteration among the activation valueGp(β0)[anchor] and its scale target value ι.The gradient obtained from the loss function be considered as α.The mask of the input β can be updated by using the Saliency Map mask which results in β=β-lr*mask*Δβf(β).The gradient objective function can be estimated asa=Δβf(β).The fixed pixels are given asj= argminjαj.ajfrom which theiis removed.

    4.2.4 Optimization with L∞

    TheL∞norm is a more invisible distance metric when compared withL0.Here in theL∞attack,we replace the term withL2term in the objective function.The normalization penalty is derived as shown below:

    Since the term ||β||∞penalizes the largest entry when evaluated with gradient descent often poor results are obtained and to overcome this problem an iterative search is conducted in theL∞search space.In Eq.(5), theL∞normalization cost is modified when the penalty of any pixels increases the initial value of τ and decreased slowly in each round.The initial value of τ is set as 1.The value ofL∞is optimally changed as shown in Eq.(6).

    The position set of the input sample is represented as ρ in Eq.(6) anda+= max(a,0).In ourevery experiment the value of βjis less than τ.In this way, we can directly search the search space to find an optimal value for τ in the real number space.Here the value τ represents theL∞normalization of our trigger and every pixel in our trigger is set at a value less than 1.

    4.2.5 Universal Backdoor Attack

    After the last trigger (β*) is generated, the poisoning image is constructed by injecting the trigger into the image randomly taken from the original training data set.The dataset is assigned a sampling ratio η and the target labelkis constructed by the attacker.This attack is mainly termed as universal because we are constructing a poisoned image o` by selecting a random image o without giving any importance to the original labels.After the input images are poisoned using the above process, we have a poisoning image set (o′,k)∈.To form a novel training set (Etrain∪Em) we integrate both the actual and poisoning training set together.The η value is an element of (0, 0.1] to manage the amount of pollution in the poisoning training datasetto the overall training set.The new training set created can be exploited to retrain theb*classifier from the original ICNN-GBO model.The ICNN-GBO model gives high performance after retraining it with a pollution rate (η) of 0.05 for a total number of 5 epochs before convergence.The attack performance is evaluated using two validation sets.

    4.3 Improved CNN Classifier Model Implementation

    In this proposed work, the ICNN [20] is used to conduct a background attack on the target.During the training phase, the malicious image is injected along with the target label.The output of the network is computed using an error function (softmax).The network parameters are modified by comparing the output with the error rate and the appropriate response obtained.Using the Stochastic Gradient Descent, every parameter is modified to minimize the network error.

    4.3.1 Convolution Layer

    This layer is used by the CNN layer to convolve the input image.The advantages offered by the convolutional layer are: the parameters are minimized via the weight distribution strategy, the adjacent pixels are trained using the local links, and stability is created when there is any alteration in the position of the object.

    4.3.2 Hybrid Pooling Technique

    To minimize the network parameters, the pooling layer is placed next to the convolutional layer.In the improved CNN, we are using a hybrid pooling technique.The pooling technique delivers an outputPifor a pooling regionAi, wherei=1, 2, 3,...,I.The activation sequence inAiis represented as{s1,s2,...,s|Aj|}and the total number of activations is represented using|Aj|.By retrieving the outputs of every pooling region, the pooling feature map{P= {P1,P2,...,PI}}can be derived.For each feature map present in the convolutional layer in the training phase, the average pooling is applied with a probability value ρ and the maximum pooling is applied with a probability ρ-1.This process is applied to every region.When a pooling process is applied for the convolutional feature map, we get the following pooling process:

    In the testing phase, for each pooling region output obtained and the expected value for each pooling regionPis computed using the equation below:

    wherePHYBrepresents the hybrid pooling and Fig.2 demonstrates the hybrid pooling process with a stride and filter size of 2.The existing stochastic pooling algorithms [21,22] were mainly used to select a pooling technique using the probability value.The hybrid pooling technique differs from these techniques in such a way that it can improve the generalization capability using different feature extraction techniques and also averages them in each stage.In each convolutional layer, the pooling process is managed using the parameter ρ.For an instance, if the value of ρ is 0, then the average pooling operation is executer and if the value of ρ is 0, then the max-pooling process is executed.The hybrid pooling process is implemented when the value is 0<ρ<1.To enhance the generalization capability in both the training and testing stages, hybrid pooling is applied using different variants.

    For images of 16×16 pixels and 32×32 pixels, three convolutional and two-hybrid pooling layers are implemented.Whereas for the images of 64×64 pixels, 4 convolutions and three hybrid pooling layers are deployed.The stride is increased to enhance the speed of the ICNN process by reducing the stride value.The ICNN input is a color image with a fixed size and the Rectified Linear Unit (ReLU)is deployed in the last layer.The batch normalization layers are added in between the convolutional and ReLU layer to speed up the ICNN training process and also minimize the sensitivity associated with network initialization.Tab.2 provides the configuration of an image with a size of 32×32 pixels.

    Figure 2: Working of the hybrid pooling methodology

    Table 2: ICNN configuration for an image size of 32×32

    Table 2: Continued

    Using the mean (μX) and variance value (σX) computed, the batch normalization function normalizes the inputs (ai) for a mini-batch and for each input channel.The process can be described using the equation below:

    In Eq.(13), the variable η is used to enhance the numerical stability when the mini-batch variance value is very minimal.The layers that use batch normalization do not consider the mean and unit variance values whose input is zero as an optimal value.In this scenario, the batch normalization layer shifts and scales the activations as shown below:

    During the network training, the offset (o) and scale factor (σ) are set as learnable parameters and are updated only during the training.The network training process is optimized using batch normalization.In this way, we can accommodate a higher learning rate which enhances the speed of the network during training.However, initialization of the weights can be complex and for this process, we are using the GBO algorithm.The GBO algorithm is mainly used to minimize the impact of the huge number of ICNN parameters while training.Because an increased number of parameters and layers complicate the training process which negatively influences the accuracy of the proposed methodology.The GBO algorithm mainly finds the optimal number of hyperparameters to tune the improved CNN model and offers increased accuracy to identify the target accordingly and conduct the attack.

    4.4 Gradient-Based Optimization (GBO)

    The adopted GBO [23] is exploited to solve the optimization problem in the attack creation to attack the image file of transmission.It follows several rules and is explained in the following sections.

    4.4.1 Gradient Search Rule (GSR)

    Mostly the GBO is used to prevent from falling for local optima.One of the feature movements of direction (DM) of GSR is used to acquire the valuable speed of convergence.Based on these GSR and DM parameters, the location of attackers can be updated to the vector position as follows:

    The parameterjdenotes the number of iterations;σmin, and σmaxparameters are predefined values with 0.32 and 1.34 respectively.Jis the total number of iterations to be conduct and the parameter ε ranges from 0 to 0.1.randiis theithrandom number and the ?2is determined as,

    In Eq.(20),rand(1 :M) is the random number along with M dimensionality.r1, r2, r3,andr4are the selected random numbers from the (1:M) wherer1/r2r3r4m.The step size of the attackers can be determined with the aid of S parameters which will be evaluated from theabestand.Henceforth, the optimized new vectorAcan be evaluated with the inclusion ofabestand.

    The best optimal solution of the next iterations can be evaluated with the consideration of,, and the current location ofand can be expressed as,

    4.4.2 Local Escaping Operator (LEO)

    The LEO is used to minimize the computational complexity during the estimation of an optimal global solution to generate the attack.The main purpose of this LEO is to prevent falling from local optima and generates enormous optimal solutions along with candidate solutionand position vectorAbest.Moreover, two random solutions and candidate solutions are also generated namely,, andrespectively.

    Algorithm 2: Pseudocode for the generation of XjLEO If rand<Prob If rand<0.4 Aj LEO= Aj+1m+ d1×(e1×abest- e2×aj κ) + d2×?1×(e3×(A2j m- A1j m) + e2×(ajr1- ajr2))/2 Aj+1 m= Aj LEO Else Aj LEO= Abest+ d1×(e1×abest- e2×ajκ) + d2×?1×(e3×(A2j m- A1j m) + e2×(aj r1- ajr2))/2 Aj+1 m= Aj LEO End If end

    Algorithm 2 denotes the pseudo-codes for generating.The random number that has been selected randomly between the value -1and1is denoted asd1.The normal distribution along with the standard deviation and mean are merged between the value1 and 0and are denoted as a random numberd2.The probability of occurrence of the local optima of attacks can be denoted byProb.Thee1,e2, and e3are the random numbers.

    5 Experimental Analysis and Results

    This section evaluates the performance of the two types of attacks conducted.For both, the triggers generated we are injecting the triggers inside the images from the CIFAR10 [24] and MSCELEB 1M database [25].These two datasets are widely deployed for image classification tasks and our experiments are run using an Acer Predator PO3-600 machine with a 64 GB memory.The proposed ICNN-GBO model is implemented using the Matlab programming interface.

    CIFAR10 dataset: This dataset comprises a total of 60000 images with a size of 32 32 pixels and each image belongs to the ten classes.We are splitting the training and validation ratio by 9:1 where 50000 images are used for training and 10000 is used for testing.

    MS celeb 1M database: It is a large-scale face recognition dataset that comprises 100 K identities and each identity has a total of 100 facial images.The labels of these images are obtained from the web pages.

    The definition of the performance metrics such as Attack success rate and functionality is provided below: Attack success rate: The outcome of the poisonedb*model is taken as?o=b*(a′) for a poisoned inputdataa′.The attacker’s target is represented askandthea′rato measures whether it is equal to the target value.This measure helps to find out whether the ICNN-GBO model is capable of identifying the trigger pattern injected in the inputimages.If the neural network has a higher capability to identify the trigger pattern, then the value of the attack success rate is high.

    Functionality: For users other than the target, the functionality score captures the performance of the ICNN-GBO model in the actual validation dataset (Eval).The attacker needs to maintain the functionality or else the intrusion software or users will detect the presence of a backdoor attack.

    5.1 Comparison in Terms of Different Attacks for Single Target Backdoor Attack

    We have compared the performance of our backdoor attack using different triggers as shown in Tab.3.The single-pixel attack is the most complex one to be identified by our proposed ICNN-GBO model when differentiating the clean and poisoned samples.The results are constructed using an MS celeb 1M database.The single-pixel attack usually takes more number epochs to converge, but the use of the GBO algorithm helps to find the optimal solution rapidly.Our steganography approach needs only a 0.1 pollution rate and a trigger size of 500 for convergence.The results are obtained within the 18thepoch itself.The performance of the backdoor attack can be even improved by increasing the size of the text trigger.The results show that both attacks offer comparable attack success rates when evaluated in terms of attack success rate.

    Table 3: Performance evaluation of single target backdoor attacks using different triggers

    The effect of the pollution rate (τ) is evaluated in terms of a single target backdoor attack in this section.In a single target attack, the pollution rate is computed based on the samples drawn from a single class in the dataset.The images obtained are then poisoned using the steganography technique.The impact of the pollution is identified using both the CIFAR-10 and MS Celeb 1M dataset and the results obtained are demonstrated in Fig.3.In both the results, an increase in pollution rate improves the attack success rate while maintaining the functionality range is stable.

    Figure 3: Impact of pollution rate in functionality and attack success rate.(a) Results obtained for the CIFAR-10 dataset and (b) Obtained for the MS Celeb 1M dataset dataset

    5.2 Comparison Using Pollution Rate for Universal Attack

    In the universal attack, the poisoned samples are selected randomly from the training site whereas,in the single target attack, the poisoned images are selected from only a single source class.The normalization values for the L0, L2, andL∞are set as 5, 10, and 0.1.The results shown in Fig.4 illustrate the performance of the universal attack in terms of pollution rate.As per the results shown in Fig.4, the increase in pollution rate simultaneously increases the success rate.However, the functionality remains the same.The minimum pollution rate needed to obtain the higher attack success rate differs.

    Figure 4: Impact of pollution rate in terms of L∞attack.(a) CIFAR10 dataset.(b) MS-CELEB 1M dataset

    5.3 Comparison in Terms of Stealthiness

    The poison images generated by different attacks are shown in Fig.5.Our proposed methodology offers higher results in terms of attack stealthiness when compared to BadNets and NNoculation [26].The poisoned images generated by our technique have no differences that can be identified using the naked eye.The triggers injected by the BadNets and NNoculation are better when hiding their attack stealthiness in white images but the differences are observed in images with dark backgrounds.

    The performance of the attack success rate and functionality for both the L0-normalization and L2-normalization is present in Figs.7 and 8.The results are provided for both CIFAR 10 and MS-CELEB 1M datasets.In the CIFAR-10 dataset, there are fewer perturbations that are complex even for humans hence the performance obtained in terms of functionality and attack success rate is above satisfactory.In the L0-Norm, the attack success rate is enhanced up to 100%.Both the CIFAR10 and MS-CELEB 1M datasets provide an L2-Norm of above 91%.In the L0-Norm the model converges faster than the L2-Norm.This shows that the triggers which use less complex shapes are easily identifiable by the DNN networks.This has been shown in Fig.6.

    Figure 5: Poison samples generated by different attacks.(a), (b), and (c) represent training samples from the Badnet attack.(d), (e), and (f) represent training samples from the NNoculation attack.(g),(h), and (i) represent training samples from the proposed attack

    Figure 6: (Continued)

    Figure 6: L0 and L1 Norm evaluation in terms of functionality and success rate.(a) Evaluation of CIFAR10 dataset in terms of L0-Norm.(b) Evaluation of MS-CELEB 1M dataset in terms of L0-Norm.(c) Evaluation of CIFAR10 dataset in terms of L2-Norm.(d) Evaluation of MS-CELEB 1M dataset in terms of L2-Norm

    Fig.7 presents the results in terms of anomaly index and the smaller the anomaly index value harder it is recognized by the Neural Cleanse [27].The neural cleanse calculates the trigger candidates to transform the normal images into their corresponding labels.It then verifies whether any image is smaller than the other image in size and if it finds it then it marks it as a backdoor attack.The proposed methodology is compared with the BadNet, SSIAN, NPI, and BHFFN techniques.From Fig.7, we can observe that our proposed methodology provides a higher defensive shield in terms of the Neural Cleanse technique.

    Figure 7: Comparison in terms of anomaly index.(a) CIFAR-10 and (b) MS-CELEB 1M

    5.4 Resistance Towards the STRong Intentional Perturbation Based Run-Time Trojan Attack Detection System (STRIP-RTADS)

    Based on the random prediction of samples generated by the ICNN-GBO model, the STRIPRTADS [28] sorts the poisoned instances that possess diverse image patterns.Using the entropy value, the randomness is measured and it is computed by taking an average prediction value of those instances.The higher the entropy value, the harder it is to detect by the STRIP-RTADS framework.As per the results shown in Fig.8, the proposed method exhibits higher entropy when compared to the BadNet, SSIAN, NPI, and BHFN techniques when evaluated with both datasets.

    Figure 8: Comparison in terms of entropy index.(a) CIFAR-10 and (b) MS-CELEB 1M

    6 Conclusion

    Our proposed CNN-based GBO work in this article is used to generate backdoor attacks on the image files.The backdoor attack triggers are generated using steganography and regularization based approaches.The ICNN-GBO model’s objective function satisfies the normal user functionality with an increase in attack success rate.The performance of the proposed technique is evaluated in terms of two baseline datasets via different performance metrics such as functionality, Clean Model accuracy,attack success rate, pollution rate, stealthiness, etc.The poisoned image generated by the LSB-based steganography technique and optimized regularization techniques are hardly visible to the naked eye and the intrusion detection software hence it offers optimal performance in terms of stealthiness when compared to the badNet and NNoculation models.The functionality, attack success rate, and clean model accuracy for the proposed scheme are above 99% for the single target backdoor attack.The proposed methodology also offers high resistance when evaluated with the Neural Cleanse and STRIPRTADS attack detection methodologies.

    Funding Statement:This project was funded by the Deanship of Scientific Research (DSR) at King Abdulaziz University, Jeddah, under Grant No.(RG-91-611-42).The authors, therefore, acknowledge with thanks to DSR technical and financial support.

    Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.

    狂野欧美激情性xxxx| 欧美激情 高清一区二区三区| 97碰自拍视频| 一边摸一边做爽爽视频免费| 亚洲专区字幕在线| 久久久久久久久中文| 国产熟女午夜一区二区三区| 香蕉丝袜av| 99国产精品一区二区蜜桃av| 国产黄色免费在线视频| 久久性视频一级片| 99久久国产精品久久久| 在线av久久热| www.熟女人妻精品国产| 亚洲精品国产一区二区精华液| 久久午夜综合久久蜜桃| 精品国内亚洲2022精品成人| 亚洲午夜精品一区,二区,三区| 亚洲中文字幕日韩| 久久国产精品男人的天堂亚洲| 大陆偷拍与自拍| 欧美精品一区二区免费开放| 欧美日韩一级在线毛片| 桃红色精品国产亚洲av| 国产人伦9x9x在线观看| 精品国产亚洲在线| 99精品欧美一区二区三区四区| 69av精品久久久久久| 久久精品国产99精品国产亚洲性色 | 韩国精品一区二区三区| 搡老岳熟女国产| 国产精品二区激情视频| 精品福利永久在线观看| 在线播放国产精品三级| 亚洲成人免费电影在线观看| 午夜影院日韩av| 免费高清在线观看日韩| 中出人妻视频一区二区| 久久久久国产精品人妻aⅴ院| www.自偷自拍.com| 嫩草影院精品99| 亚洲一卡2卡3卡4卡5卡精品中文| 成人国语在线视频| 日韩欧美一区二区三区在线观看| 人人妻,人人澡人人爽秒播| 国产欧美日韩一区二区三区在线| 女人高潮潮喷娇喘18禁视频| 日本欧美视频一区| 黄片小视频在线播放| 嫩草影院精品99| 国产精品久久视频播放| 精品国产一区二区久久| 美女扒开内裤让男人捅视频| 国产精品电影一区二区三区| 亚洲午夜精品一区,二区,三区| 欧美亚洲日本最大视频资源| 国产在线观看jvid| 亚洲熟妇中文字幕五十中出 | 99精品在免费线老司机午夜| 97人妻天天添夜夜摸| 婷婷精品国产亚洲av在线| 日韩精品免费视频一区二区三区| 亚洲成人免费电影在线观看| 99精品在免费线老司机午夜| 制服人妻中文乱码| 丰满迷人的少妇在线观看| 久久国产精品人妻蜜桃| 99精品在免费线老司机午夜| 黄色毛片三级朝国网站| 成年版毛片免费区| 日韩免费av在线播放| 一区福利在线观看| 天堂影院成人在线观看| 日韩大尺度精品在线看网址 | 伦理电影免费视频| 国产伦一二天堂av在线观看| 激情视频va一区二区三区| 亚洲av成人不卡在线观看播放网| 日韩视频一区二区在线观看| 精品午夜福利视频在线观看一区| 国产乱人伦免费视频| 亚洲精品久久成人aⅴ小说| 亚洲黑人精品在线| 亚洲在线自拍视频| 午夜精品国产一区二区电影| 午夜亚洲福利在线播放| 婷婷丁香在线五月| 少妇 在线观看| 在线免费观看的www视频| 久久天躁狠狠躁夜夜2o2o| 亚洲精品国产色婷婷电影| 中文亚洲av片在线观看爽| 亚洲第一青青草原| 人人妻人人澡人人看| 国产成人精品久久二区二区免费| 波多野结衣高清无吗| 极品教师在线免费播放| 欧洲精品卡2卡3卡4卡5卡区| 久久精品91蜜桃| 日韩三级视频一区二区三区| 国产亚洲欧美98| 老司机深夜福利视频在线观看| 男人舔女人下体高潮全视频| 大香蕉久久成人网| 美女福利国产在线| 欧美av亚洲av综合av国产av| 久久亚洲真实| 欧美大码av| 黄色 视频免费看| 老汉色av国产亚洲站长工具| x7x7x7水蜜桃| 曰老女人黄片| 亚洲av美国av| 黄色片一级片一级黄色片| 午夜日韩欧美国产| 午夜福利欧美成人| 桃红色精品国产亚洲av| 色综合婷婷激情| 亚洲美女黄片视频| 日韩人妻精品一区2区三区| av天堂久久9| 每晚都被弄得嗷嗷叫到高潮| 男女之事视频高清在线观看| 亚洲欧洲精品一区二区精品久久久| 亚洲三区欧美一区| 欧美激情极品国产一区二区三区| 国产单亲对白刺激| 久久香蕉精品热| 天堂√8在线中文| 99久久国产精品久久久| 成人永久免费在线观看视频| 一级a爱片免费观看的视频| 午夜亚洲福利在线播放| 国产aⅴ精品一区二区三区波| 亚洲成人久久性| 天天添夜夜摸| 9色porny在线观看| 亚洲成人免费av在线播放| 欧美成人性av电影在线观看| 免费观看精品视频网站| 天天影视国产精品| 69精品国产乱码久久久| 国产精品乱码一区二三区的特点 | 亚洲黑人精品在线| 国产精品电影一区二区三区| 亚洲美女黄片视频| 大香蕉久久成人网| 美国免费a级毛片| 一区福利在线观看| 在线观看免费午夜福利视频| 亚洲一区中文字幕在线| 天堂√8在线中文| 国产97色在线日韩免费| 激情在线观看视频在线高清| 99在线人妻在线中文字幕| 精品久久久久久电影网| 国产伦一二天堂av在线观看| 岛国视频午夜一区免费看| 一区在线观看完整版| 久久国产精品人妻蜜桃| 极品人妻少妇av视频| 一区在线观看完整版| 亚洲欧美精品综合久久99| 欧美一级毛片孕妇| 精品一区二区三区av网在线观看| 亚洲va日本ⅴa欧美va伊人久久| 黄色 视频免费看| 欧美黑人精品巨大| 在线看a的网站| 首页视频小说图片口味搜索| 男男h啪啪无遮挡| 亚洲精品中文字幕在线视频| 国产91精品成人一区二区三区| cao死你这个sao货| 国产亚洲欧美98| 成人精品一区二区免费| 国产成人欧美| av在线播放免费不卡| 欧美在线一区亚洲| 欧洲精品卡2卡3卡4卡5卡区| 在线观看免费高清a一片| 国产成人欧美| 亚洲专区中文字幕在线| 国产精品一区二区精品视频观看| 看黄色毛片网站| 天堂俺去俺来也www色官网| 另类亚洲欧美激情| 欧美日韩一级在线毛片| 一级黄色大片毛片| 18禁美女被吸乳视频| 国产aⅴ精品一区二区三区波| 日韩欧美国产一区二区入口| 日韩高清综合在线| 欧美人与性动交α欧美软件| 黄片小视频在线播放| aaaaa片日本免费| 麻豆成人av在线观看| 免费观看人在逋| 国产精品久久电影中文字幕| 老熟妇仑乱视频hdxx| 少妇裸体淫交视频免费看高清 | 亚洲精品国产区一区二| 欧美亚洲日本最大视频资源| 精品一区二区三卡| 亚洲av电影在线进入| 很黄的视频免费| 天堂影院成人在线观看| 可以在线观看毛片的网站| a级毛片黄视频| 一级a爱片免费观看的视频| 90打野战视频偷拍视频| 国产国语露脸激情在线看| 精品国内亚洲2022精品成人| 每晚都被弄得嗷嗷叫到高潮| www.999成人在线观看| 国产欧美日韩一区二区精品| 人妻丰满熟妇av一区二区三区| 超碰97精品在线观看| 欧美黄色片欧美黄色片| 久久性视频一级片| 国产激情欧美一区二区| 亚洲全国av大片| 国产一区二区三区在线臀色熟女 | 欧美日本亚洲视频在线播放| 精品熟女少妇八av免费久了| 成人特级黄色片久久久久久久| 日韩欧美免费精品| 久久国产亚洲av麻豆专区| 亚洲精品久久成人aⅴ小说| 人人妻人人澡人人看| 一级黄色大片毛片| 69av精品久久久久久| 50天的宝宝边吃奶边哭怎么回事| 少妇被粗大的猛进出69影院| 狂野欧美激情性xxxx| 国产精品免费视频内射| 俄罗斯特黄特色一大片| 亚洲精品av麻豆狂野| 国产精品香港三级国产av潘金莲| 久久久久久亚洲精品国产蜜桃av| 国产欧美日韩一区二区三区在线| 两性夫妻黄色片| 免费日韩欧美在线观看| 免费高清在线观看日韩| 免费一级毛片在线播放高清视频 | 一边摸一边抽搐一进一小说| 色婷婷久久久亚洲欧美| 黄色视频,在线免费观看| 最近最新中文字幕大全电影3 | 激情在线观看视频在线高清| 久久久久久大精品| 亚洲色图综合在线观看| 国产精品二区激情视频| 欧美大码av| 欧美av亚洲av综合av国产av| 99久久精品国产亚洲精品| 成人特级黄色片久久久久久久| 满18在线观看网站| 国产成+人综合+亚洲专区| 国产欧美日韩精品亚洲av| www.精华液| 涩涩av久久男人的天堂| 99久久国产精品久久久| 欧美一区二区精品小视频在线| 久久久久久久久久久久大奶| 757午夜福利合集在线观看| 91成年电影在线观看| 国产成人av激情在线播放| avwww免费| 日本撒尿小便嘘嘘汇集6| 国产成人欧美| 如日韩欧美国产精品一区二区三区| 岛国在线观看网站| 午夜福利免费观看在线| 可以在线观看毛片的网站| 国产欧美日韩一区二区三| 中出人妻视频一区二区| 亚洲成人精品中文字幕电影 | 亚洲成人免费电影在线观看| 1024视频免费在线观看| 一边摸一边抽搐一进一出视频| 久久久久久久午夜电影 | 亚洲性夜色夜夜综合| 淫妇啪啪啪对白视频| 精品人妻在线不人妻| 国产亚洲欧美98| 国产欧美日韩一区二区三区在线| 久久久国产成人免费| 黑人巨大精品欧美一区二区mp4| 中文字幕另类日韩欧美亚洲嫩草| 香蕉久久夜色| 久久中文字幕人妻熟女| 韩国av一区二区三区四区| 女生性感内裤真人,穿戴方法视频| 国产精品一区二区在线不卡| 国产精品久久久人人做人人爽| 首页视频小说图片口味搜索| 91成人精品电影| 无人区码免费观看不卡| 精品电影一区二区在线| 国产欧美日韩一区二区精品| 色哟哟哟哟哟哟| 这个男人来自地球电影免费观看| 国产精品99久久99久久久不卡| 午夜亚洲福利在线播放| 又黄又粗又硬又大视频| 国产一区二区三区在线臀色熟女 | 亚洲国产精品一区二区三区在线| 中文字幕最新亚洲高清| 午夜两性在线视频| 精品高清国产在线一区| 丝袜在线中文字幕| 国产亚洲欧美在线一区二区| 久久久久精品国产欧美久久久| 啦啦啦免费观看视频1| 女人精品久久久久毛片| 99国产极品粉嫩在线观看| 亚洲人成电影免费在线| 日本免费一区二区三区高清不卡 | 欧美中文日本在线观看视频| 国产成人系列免费观看| 亚洲一区高清亚洲精品| 亚洲成人精品中文字幕电影 | 热re99久久精品国产66热6| 麻豆av在线久日| 色老头精品视频在线观看| 日韩欧美免费精品| 两性午夜刺激爽爽歪歪视频在线观看 | svipshipincom国产片| 免费少妇av软件| 久久久久久亚洲精品国产蜜桃av| 97碰自拍视频| 97超级碰碰碰精品色视频在线观看| 天天躁夜夜躁狠狠躁躁| 久久久精品国产亚洲av高清涩受| 乱人伦中国视频| 国产极品粉嫩免费观看在线| 成人国产一区最新在线观看| 国产精品秋霞免费鲁丝片| 亚洲成人久久性| 后天国语完整版免费观看| 亚洲人成网站在线播放欧美日韩| 国产成人影院久久av| 国产精品99久久99久久久不卡| 大型av网站在线播放| 亚洲专区字幕在线| 欧美成人性av电影在线观看| 欧美日韩av久久| 亚洲精品中文字幕一二三四区| 国产熟女xx| 露出奶头的视频| 真人做人爱边吃奶动态| 精品久久久久久久毛片微露脸| 国产99久久九九免费精品| 国产精品一区二区三区四区久久 | 男人操女人黄网站| 色综合站精品国产| 丝袜美足系列| 99精国产麻豆久久婷婷| 欧美 亚洲 国产 日韩一| 欧美日韩亚洲综合一区二区三区_| 中文字幕高清在线视频| 国产一区二区三区在线臀色熟女 | 亚洲熟妇熟女久久| 中文欧美无线码| 午夜亚洲福利在线播放| 中文字幕色久视频| 精品福利观看| 中文字幕人妻丝袜一区二区| 久久久国产成人精品二区 | 欧美日韩中文字幕国产精品一区二区三区 | 女人精品久久久久毛片| 91成人精品电影| 久久精品91无色码中文字幕| 一边摸一边做爽爽视频免费| 亚洲色图 男人天堂 中文字幕| 国产一区二区三区视频了| 如日韩欧美国产精品一区二区三区| 妹子高潮喷水视频| 日本一区二区免费在线视频| 女人高潮潮喷娇喘18禁视频| 精品久久蜜臀av无| 久热这里只有精品99| www.熟女人妻精品国产| 欧美黑人欧美精品刺激| 国产成人免费无遮挡视频| 亚洲精品粉嫩美女一区| 精品国产国语对白av| 叶爱在线成人免费视频播放| 不卡av一区二区三区| 18禁美女被吸乳视频| 久久久久国产精品人妻aⅴ院| 69av精品久久久久久| 9热在线视频观看99| 一级片免费观看大全| 亚洲欧美日韩另类电影网站| 欧美日韩视频精品一区| 999久久久国产精品视频| 国产成人一区二区三区免费视频网站| 欧美日本亚洲视频在线播放| 欧美日韩亚洲国产一区二区在线观看| 国产欧美日韩一区二区三| 久久热在线av| 成年人免费黄色播放视频| 成人精品一区二区免费| 久久人妻熟女aⅴ| 午夜福利影视在线免费观看| 精品福利永久在线观看| 久久精品91蜜桃| 久久久国产成人免费| 自线自在国产av| 97超级碰碰碰精品色视频在线观看| 亚洲成人精品中文字幕电影 | 女人高潮潮喷娇喘18禁视频| 欧美成人免费av一区二区三区| 亚洲成人免费av在线播放| 自拍欧美九色日韩亚洲蝌蚪91| 欧美黑人精品巨大| 精品久久久久久久久久免费视频 | xxx96com| 久久久国产精品麻豆| 亚洲一区二区三区不卡视频| 欧美在线一区亚洲| 精品国产亚洲在线| 国产成人精品在线电影| 搡老熟女国产l中国老女人| 日本免费a在线| 色婷婷久久久亚洲欧美| 亚洲人成电影观看| 三上悠亚av全集在线观看| 亚洲欧美激情综合另类| 男女下面进入的视频免费午夜 | 国产精品偷伦视频观看了| 999精品在线视频| 三级毛片av免费| 波多野结衣av一区二区av| 成人三级做爰电影| 亚洲精品一二三| 我的亚洲天堂| 嫩草影院精品99| 久久久久国产精品人妻aⅴ院| 久久天躁狠狠躁夜夜2o2o| 在线观看www视频免费| 国产精品美女特级片免费视频播放器 | 久久天堂一区二区三区四区| 最新美女视频免费是黄的| 欧美日本中文国产一区发布| 午夜日韩欧美国产| cao死你这个sao货| 999久久久精品免费观看国产| 黄色片一级片一级黄色片| 精品久久久久久,| 亚洲精品国产一区二区精华液| 国产精品免费一区二区三区在线| 真人做人爱边吃奶动态| 狠狠狠狠99中文字幕| 国产亚洲av高清不卡| 中文字幕人妻熟女乱码| 无遮挡黄片免费观看| 国产激情久久老熟女| 久久天堂一区二区三区四区| 91精品国产国语对白视频| 国产亚洲精品久久久久5区| 亚洲专区国产一区二区| 操出白浆在线播放| 久久国产精品男人的天堂亚洲| 国产高清videossex| 国产精品一区二区三区四区久久 | 国产色视频综合| 久久香蕉精品热| 亚洲美女黄片视频| 国产黄a三级三级三级人| 国内久久婷婷六月综合欲色啪| 欧美日本亚洲视频在线播放| 在线观看免费午夜福利视频| 国产亚洲av高清不卡| 满18在线观看网站| 高清欧美精品videossex| 一个人免费在线观看的高清视频| 精品一区二区三区av网在线观看| 国产一卡二卡三卡精品| www.熟女人妻精品国产| 久久亚洲精品不卡| 亚洲国产中文字幕在线视频| 免费少妇av软件| www国产在线视频色| 村上凉子中文字幕在线| 很黄的视频免费| 成人国产一区最新在线观看| bbb黄色大片| 三上悠亚av全集在线观看| 高清毛片免费观看视频网站 | 天天躁狠狠躁夜夜躁狠狠躁| 中文字幕色久视频| 日本 av在线| 久久热在线av| 国产一卡二卡三卡精品| www.熟女人妻精品国产| 一区二区日韩欧美中文字幕| 国产片内射在线| 深夜精品福利| 咕卡用的链子| 超色免费av| 精品人妻1区二区| 国内久久婷婷六月综合欲色啪| 亚洲精品国产精品久久久不卡| 免费在线观看视频国产中文字幕亚洲| 高清毛片免费观看视频网站 | 别揉我奶头~嗯~啊~动态视频| 国产三级在线视频| 黄色丝袜av网址大全| 久久精品人人爽人人爽视色| 亚洲精品一卡2卡三卡4卡5卡| 99香蕉大伊视频| 亚洲国产精品999在线| 成人18禁高潮啪啪吃奶动态图| 欧美日韩中文字幕国产精品一区二区三区 | 精品国内亚洲2022精品成人| 精品免费久久久久久久清纯| 999精品在线视频| 精品久久蜜臀av无| 天堂√8在线中文| 在线十欧美十亚洲十日本专区| 欧美成狂野欧美在线观看| 亚洲成人精品中文字幕电影 | av视频免费观看在线观看| 一本大道久久a久久精品| 久久久久九九精品影院| 国产亚洲精品第一综合不卡| 国产aⅴ精品一区二区三区波| 国产精品自产拍在线观看55亚洲| 国产精品亚洲一级av第二区| 99在线视频只有这里精品首页| 日本欧美视频一区| 亚洲 欧美一区二区三区| 亚洲一码二码三码区别大吗| 久久久久久人人人人人| 亚洲国产中文字幕在线视频| 欧美激情极品国产一区二区三区| 老司机在亚洲福利影院| 精品国产一区二区久久| 久久精品国产清高在天天线| 一本综合久久免费| 久久午夜亚洲精品久久| 国产成人系列免费观看| 亚洲 欧美一区二区三区| 久久久久久久精品吃奶| 天天躁夜夜躁狠狠躁躁| 亚洲精品国产色婷婷电影| 亚洲性夜色夜夜综合| 一区二区三区激情视频| 成年女人毛片免费观看观看9| www.999成人在线观看| 女性被躁到高潮视频| 麻豆国产av国片精品| 在线观看一区二区三区| 国产成人免费无遮挡视频| 中亚洲国语对白在线视频| 欧美+亚洲+日韩+国产| 男女高潮啪啪啪动态图| 嫩草影院精品99| 在线观看www视频免费| 欧美一级毛片孕妇| 亚洲中文av在线| 国产精品98久久久久久宅男小说| 三级毛片av免费| 18禁国产床啪视频网站| 两性午夜刺激爽爽歪歪视频在线观看 | av电影中文网址| 国产精品成人在线| 99re在线观看精品视频| 亚洲中文日韩欧美视频| 这个男人来自地球电影免费观看| 精品久久久久久,| 亚洲 欧美一区二区三区| 日韩人妻精品一区2区三区| 亚洲少妇的诱惑av| 夜夜躁狠狠躁天天躁| 免费搜索国产男女视频| 亚洲精品在线观看二区| 精品一区二区三区av网在线观看| 99国产精品一区二区蜜桃av| 波多野结衣高清无吗| 国产精品一区二区免费欧美| 亚洲一码二码三码区别大吗| 国产深夜福利视频在线观看| 搡老乐熟女国产| а√天堂www在线а√下载| 三上悠亚av全集在线观看| 正在播放国产对白刺激| 国产伦人伦偷精品视频| 悠悠久久av| 国产片内射在线| 成在线人永久免费视频| 国产精品乱码一区二三区的特点 | 国产成人av激情在线播放| 神马国产精品三级电影在线观看 | 高清在线国产一区| 久久久久久久午夜电影 | 国产成年人精品一区二区 | 男女床上黄色一级片免费看| 高潮久久久久久久久久久不卡| 国产黄a三级三级三级人| 咕卡用的链子| 视频在线观看一区二区三区| 亚洲欧美日韩另类电影网站| 久9热在线精品视频| 久久久国产欧美日韩av| 午夜成年电影在线免费观看| 99国产精品99久久久久| 丝袜人妻中文字幕| 日韩 欧美 亚洲 中文字幕| 亚洲午夜理论影院| 男人操女人黄网站| 一进一出好大好爽视频|