An Evasion Attack against Stacked Capsule Autoencoder
- URL: http://arxiv.org/abs/2010.07230v5
- Date: Mon, 20 Dec 2021 16:22:53 GMT
- Title: An Evasion Attack against Stacked Capsule Autoencoder
- Authors: Jiazhu Dai, Siwei Xiong
- Abstract summary: We propose an evasion attack against the Stacked Capsule Autoencoder (SCAE)
We evaluate the attack using an image classification experiment, and the experimental results indicate that the attack can achieve high success rates and stealthiness.
- Score: 0.0
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Capsule network is a type of neural network that uses the spatial
relationship between features to classify images. By capturing the poses and
relative positions between features, its ability to recognize affine
transformation is improved, and it surpasses traditional convolutional neural
networks (CNNs) when handling translation, rotation and scaling. The Stacked
Capsule Autoencoder (SCAE) is the state-of-the-art capsule network. The SCAE
encodes an image as capsules, each of which contains poses of features and
their correlations. The encoded contents are then input into the downstream
classifier to predict the categories of the images. Existing research mainly
focuses on the security of capsule networks with dynamic routing or EM routing,
and little attention has been given to the security and robustness of the SCAE.
In this paper, we propose an evasion attack against the SCAE. After a
perturbation is generated based on the output of the object capsules in the
model, it is added to an image to reduce the contribution of the object
capsules related to the original category of the image so that the perturbed
image will be misclassified. We evaluate the attack using an image
classification experiment, and the experimental results indicate that the
attack can achieve high success rates and stealthiness. It confirms that the
SCAE has a security vulnerability whereby it is possible to craft adversarial
samples without changing the original structure of the image to fool the
classifiers. We hope that our work will make the community aware of the threat
of this attack and raise the attention given to the SCAE's security.
Related papers
- Towards Robust Image Stitching: An Adaptive Resistance Learning against
Compatible Attacks [66.98297584796391]
Image stitching seamlessly integrates images captured from varying perspectives into a single wide field-of-view image.
Given a pair of captured images, subtle perturbations and distortions which go unnoticed by the human visual system tend to attack the correspondence matching.
This paper presents the first attempt to improve the robustness of image stitching against adversarial attacks.
arXiv Detail & Related papers (2024-02-25T02:36:33Z) - Tailoring Adversarial Attacks on Deep Neural Networks for Targeted Class
Manipulation Using DeepFool Algorithm [0.0]
DeepFool, an algorithm proposed by Moosavi-Dezfooli et al. convolution, finds minimal perturbations to misclassify input images.
DeepFool lacks a targeted approach, making it less effective in specific attack scenarios.
We propose Enhanced Targeted DeepFool, an augmented version of DeepFool that allows targeting specific classes for misclassification.
arXiv Detail & Related papers (2023-10-18T18:50:39Z) - CamDiff: Camouflage Image Augmentation via Diffusion Model [83.35960536063857]
CamDiff is a novel approach to synthesize salient objects in camouflaged scenes.
We leverage the latent diffusion model to synthesize salient objects in camouflaged scenes.
Our approach enables flexible editing and efficient large-scale dataset generation at a low cost.
arXiv Detail & Related papers (2023-04-11T19:37:47Z) - SAIF: Sparse Adversarial and Imperceptible Attack Framework [7.025774823899217]
We propose a novel attack technique called Sparse Adversarial and Interpretable Attack Framework (SAIF)
Specifically, we design imperceptible attacks that contain low-magnitude perturbations at a small number of pixels and leverage these sparse attacks to reveal the vulnerability of classifiers.
SAIF computes highly imperceptible and interpretable adversarial examples, and outperforms state-of-the-art sparse attack methods on the ImageNet dataset.
arXiv Detail & Related papers (2022-12-14T20:28:50Z) - Towards Robust Stacked Capsule Autoencoder with Hybrid Adversarial
Training [0.0]
Capsule networks (CapsNets) are new neural networks that classify images based on the spatial relationships of features.
The stacked capsule autoencoder (SCAE) is a state-of-the-art CapsNet, and achieved unsupervised classification of CapsNets for the first time.
We propose an evasion attack against SCAE, where the attacker can generate adversarial perturbations based on reducing the contribution of the object capsules.
We evaluate the defense method and the experimental results show that the refined SCAE model can achieve 82.14% classification accuracy under evasion attack.
arXiv Detail & Related papers (2022-02-28T13:17:21Z) - Hiding Images into Images with Real-world Robustness [21.328984859163956]
We introduce a generative network based method for hiding images into images while assuring high-quality extraction.
An embedding network is sequentially decoupling with an attack layer, a decoupling network and an image extraction network.
We are the first to robustly hide three secret images.
arXiv Detail & Related papers (2021-10-12T02:20:34Z) - Backdoor Attack on Hash-based Image Retrieval via Clean-label Data
Poisoning [54.15013757920703]
We propose the confusing perturbations-induced backdoor attack (CIBA)
It injects a small number of poisoned images with the correct label into the training data.
We have conducted extensive experiments to verify the effectiveness of our proposed CIBA.
arXiv Detail & Related papers (2021-09-18T07:56:59Z) - Discriminator-Free Generative Adversarial Attack [87.71852388383242]
Agenerative-based adversarial attacks can get rid of this limitation.
ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations.
The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
arXiv Detail & Related papers (2021-07-20T01:55:21Z) - Combating Adversaries with Anti-Adversaries [118.70141983415445]
In particular, our layer generates an input perturbation in the opposite direction of the adversarial one.
We verify the effectiveness of our approach by combining our layer with both nominally and robustly trained models.
Our anti-adversary layer significantly enhances model robustness while coming at no cost on clean accuracy.
arXiv Detail & Related papers (2021-03-26T09:36:59Z) - Defending Adversarial Examples via DNN Bottleneck Reinforcement [20.08619981108837]
This paper presents a reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks.
By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation.
In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network.
arXiv Detail & Related papers (2020-08-12T11:02:01Z) - Evading Deepfake-Image Detectors with White- and Black-Box Attacks [75.13740810603686]
We show that a popular forensic approach trains a neural network to distinguish real from synthetic content.
We develop five attack case studies on a state-of-the-art classifier that achieves an area under the ROC curve (AUC) of 0.95 on almost all existing image generators.
We also develop a black-box attack that, with no access to the target classifier, reduces the AUC to 0.22.
arXiv Detail & Related papers (2020-04-01T17:59:59Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.