Towards Visual Distortion in Black-Box Attacks

• URL: http://arxiv.org/abs/2007.10593v2
• Date: Wed, 20 Jan 2021 07:35:56 GMT
• Title: Towards Visual Distortion in Black-Box Attacks
• Authors: Nannan Li and Zhenzhong Chen
• Abstract summary: adversarial examples in a black-box threat model injures the original images by introducing visual distortion. We propose a novel black-box attack approach that can directly minimize the induced distortion by learning the noise distribution of the adversarial example. Our attack results in much lower distortion when compared to the state-of-the-art black-box attacks and achieves $100%$ success rate on InceptionV3, ResNet50 and VGG16bn.
• Score: 68.61251746898323
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Constructing adversarial examples in a black-box threat model injures the original images by introducing visual distortion. In this paper, we propose a novel black-box attack approach that can directly minimize the induced distortion by learning the noise distribution of the adversarial example, assuming only loss-oracle access to the black-box network. The quantified visual distortion, which measures the perceptual distance between the adversarial example and the original image, is introduced in our loss whilst the gradient of the corresponding non-differentiable loss function is approximated by sampling noise from the learned noise distribution. We validate the effectiveness of our attack on ImageNet. Our attack results in much lower distortion when compared to the state-of-the-art black-box attacks and achieves $100\%$ success rate on InceptionV3, ResNet50 and VGG16bn. The code is available at https://github.com/Alina-1997/visual-distortion-in-attack.

Related papers

• SAIF: Sparse Adversarial and Imperceptible Attack Framework [7.025774823899217]
  We propose a novel attack technique called Sparse Adversarial and Interpretable Attack Framework (SAIF) Specifically, we design imperceptible attacks that contain low-magnitude perturbations at a small number of pixels and leverage these sparse attacks to reveal the vulnerability of classifiers. SAIF computes highly imperceptible and interpretable adversarial examples, and outperforms state-of-the-art sparse attack methods on the ImageNet dataset.
  arXiv  Detail & Related papers  (2022-12-14T20:28:50Z)
• Towards Lightweight Black-Box Attacks against Deep Neural Networks [70.9865892636123]
  We argue that black-box attacks can pose practical attacks where only several test samples are available. As only a few samples are required, we refer to these attacks as lightweight black-box attacks. We propose Error TransFormer (ETF) for lightweight attacks to mitigate the approximation error.
  arXiv  Detail & Related papers  (2022-09-29T14:43:03Z)
• Error Diffusion Halftoning Against Adversarial Examples [85.11649974840758]
  Adversarial examples contain carefully crafted perturbations that can fool deep neural networks into making wrong predictions. We propose a new image transformation defense based on error diffusion halftoning, and combine it with adversarial training to defend against adversarial examples.
  arXiv  Detail & Related papers  (2021-01-23T07:55:02Z)
• Context-Aware Image Denoising with Auto-Threshold Canny Edge Detection to Suppress Adversarial Perturbation [0.8021197489470756]
  This paper presents a novel context-aware image denoising algorithm. It combines an adaptive image smoothing technique and color reduction techniques to remove perturbation from adversarial images. Our results show that the proposed approach reduces adversarial perturbation in adversarial attacks and increases the robustness of the deep convolutional neural network models.
  arXiv  Detail & Related papers  (2021-01-14T19:15:28Z)
• Local Black-box Adversarial Attacks: A Query Efficient Approach [64.98246858117476]
  Adrial attacks have threatened the application of deep neural networks in security-sensitive scenarios. We propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks. We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate.
  arXiv  Detail & Related papers  (2021-01-04T15:32:16Z)
• Boosting Gradient for White-Box Adversarial Attacks [60.422511092730026]
  We propose a universal adversarial example generation method, called ADV-ReLU, to enhance the performance of gradient based white-box attack algorithms. Our approach calculates the gradient of the loss function versus network input, maps the values to scores, and selects a part of them to update the misleading gradients.
  arXiv  Detail & Related papers  (2020-10-21T02:13:26Z)
• Yet Another Intermediate-Level Attack [31.055720988792416]
  The transferability of adversarial examples across deep neural network (DNN) models is the crux of a spectrum of black-box attacks. We propose a novel method to enhance the black-box transferability of baseline adversarial examples.
  arXiv  Detail & Related papers  (2020-08-20T09:14:04Z)
• Patch-wise Attack for Fooling Deep Neural Network [153.59832333877543]
  We propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models. We significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average.
  arXiv  Detail & Related papers  (2020-07-14T01:50:22Z)
• AdvJND: Generating Adversarial Examples with Just Noticeable Difference [3.638233924421642]
  Adding small perturbations on examples causes a good-performance model to misclassify the crafted examples. Adversarial examples generated by our AdvJND algorithm yield distributions similar to those of the original inputs.
  arXiv  Detail & Related papers  (2020-02-01T09:55:27Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.