Perception Improvement for Free: Exploring Imperceptible Black-box
Adversarial Attacks on Image Classification
- URL: http://arxiv.org/abs/2011.05254v1
- Date: Fri, 30 Oct 2020 07:17:12 GMT
- Title: Perception Improvement for Free: Exploring Imperceptible Black-box
Adversarial Attacks on Image Classification
- Authors: Yongwei Wang, Mingquan Feng, Rabab Ward, Z. Jane Wang, Lanjun Wang
- Abstract summary: White-box adversarial attacks can fool neural networks with small perturbations, especially for large size images.
Keeping successful adversarial perturbations imperceptible is especially challenging for transfer-based black-box adversarial attacks.
We propose structure-aware adversarial attacks by generating adversarial images based on psychological perceptual models.
- Score: 27.23874129994179
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Deep neural networks are vulnerable to adversarial attacks. White-box
adversarial attacks can fool neural networks with small adversarial
perturbations, especially for large size images. However, keeping successful
adversarial perturbations imperceptible is especially challenging for
transfer-based black-box adversarial attacks. Often such adversarial examples
can be easily spotted due to their unpleasantly poor visual qualities, which
compromises the threat of adversarial attacks in practice. In this study, to
improve the image quality of black-box adversarial examples perceptually, we
propose structure-aware adversarial attacks by generating adversarial images
based on psychological perceptual models. Specifically, we allow higher
perturbations on perceptually insignificant regions, while assigning lower or
no perturbation on visually sensitive regions. In addition to the proposed
spatial-constrained adversarial perturbations, we also propose a novel
structure-aware frequency adversarial attack method in the discrete cosine
transform (DCT) domain. Since the proposed attacks are independent of the
gradient estimation, they can be directly incorporated with existing
gradient-based attacks. Experimental results show that, with the comparable
attack success rate (ASR), the proposed methods can produce adversarial
examples with considerably improved visual quality for free. With the
comparable perceptual quality, the proposed approaches achieve higher attack
success rates: particularly for the frequency structure-aware attacks, the
average ASR improves more than 10% over the baseline attacks.
Related papers
- LFAA: Crafting Transferable Targeted Adversarial Examples with
Low-Frequency Perturbations [25.929492841042666]
We present a novel approach to generate transferable targeted adversarial examples.
We exploit the vulnerability of deep neural networks to perturbations on high-frequency components of images.
Our proposed approach significantly outperforms state-of-the-art methods.
arXiv Detail & Related papers (2023-10-31T04:54:55Z) - Dual Adversarial Resilience for Collaborating Robust Underwater Image
Enhancement and Perception [54.672052775549]
In this work, we introduce a collaborative adversarial resilience network, dubbed CARNet, for underwater image enhancement and subsequent detection tasks.
We propose a synchronized attack training strategy with both visual-driven and perception-driven attacks enabling the network to discern and remove various types of attacks.
Experiments demonstrate that the proposed method outputs visually appealing enhancement images and perform averagely 6.71% higher detection mAP than state-of-the-art methods.
arXiv Detail & Related papers (2023-09-03T06:52:05Z) - Content-based Unrestricted Adversarial Attack [53.181920529225906]
We propose a novel unrestricted attack framework called Content-based Unrestricted Adversarial Attack.
By leveraging a low-dimensional manifold that represents natural images, we map the images onto the manifold and optimize them along its adversarial direction.
arXiv Detail & Related papers (2023-05-18T02:57:43Z) - Guidance Through Surrogate: Towards a Generic Diagnostic Attack [101.36906370355435]
We develop a guided mechanism to avoid local minima during attack optimization, leading to a novel attack dubbed Guided Projected Gradient Attack (G-PGA)
Our modified attack does not require random restarts, large number of attack iterations or search for an optimal step-size.
More than an effective attack, G-PGA can be used as a diagnostic tool to reveal elusive robustness due to gradient masking in adversarial defenses.
arXiv Detail & Related papers (2022-12-30T18:45:23Z) - SAIF: Sparse Adversarial and Imperceptible Attack Framework [7.025774823899217]
We propose a novel attack technique called Sparse Adversarial and Interpretable Attack Framework (SAIF)
Specifically, we design imperceptible attacks that contain low-magnitude perturbations at a small number of pixels and leverage these sparse attacks to reveal the vulnerability of classifiers.
SAIF computes highly imperceptible and interpretable adversarial examples, and outperforms state-of-the-art sparse attack methods on the ImageNet dataset.
arXiv Detail & Related papers (2022-12-14T20:28:50Z) - Adv-Attribute: Inconspicuous and Transferable Adversarial Attack on Face
Recognition [111.1952945740271]
Adversarial Attributes (Adv-Attribute) is designed to generate inconspicuous and transferable attacks on face recognition.
Experiments on the FFHQ and CelebA-HQ datasets show that the proposed Adv-Attribute method achieves the state-of-the-art attacking success rates.
arXiv Detail & Related papers (2022-10-13T09:56:36Z) - Boosting the Transferability of Adversarial Attacks with Reverse
Adversarial Perturbation [32.81400759291457]
adversarial examples can produce erroneous predictions by injecting imperceptible perturbations.
In this work, we study the transferability of adversarial examples, which is significant due to its threat to real-world applications.
We propose a novel attack method, dubbed reverse adversarial perturbation (RAP)
arXiv Detail & Related papers (2022-10-12T07:17:33Z) - Demiguise Attack: Crafting Invisible Semantic Adversarial Perturbations
with Perceptual Similarity [5.03315505352304]
Adversarial examples are malicious images with visually imperceptible perturbations.
We propose Demiguise Attack, crafting unrestricted'' perturbations with Perceptual Similarity.
We extend widely-used attacks with our approach, enhancing adversarial effectiveness impressively while contributing to imperceptibility.
arXiv Detail & Related papers (2021-07-03T10:14:01Z) - Towards Defending against Adversarial Examples via Attack-Invariant
Features [147.85346057241605]
Deep neural networks (DNNs) are vulnerable to adversarial noise.
adversarial robustness can be improved by exploiting adversarial examples.
Models trained on seen types of adversarial examples generally cannot generalize well to unseen types of adversarial examples.
arXiv Detail & Related papers (2021-06-09T12:49:54Z) - Adversarial Examples Detection beyond Image Space [88.7651422751216]
We find that there exists compliance between perturbations and prediction confidence, which guides us to detect few-perturbation attacks from the aspect of prediction confidence.
We propose a method beyond image space by a two-stream architecture, in which the image stream focuses on the pixel artifacts and the gradient stream copes with the confidence artifacts.
arXiv Detail & Related papers (2021-02-23T09:55:03Z) - Learning to Attack with Fewer Pixels: A Probabilistic Post-hoc Framework
for Refining Arbitrary Dense Adversarial Attacks [21.349059923635515]
adversarial evasion attacks are reported to be susceptible to deep neural network image classifiers.
We propose a probabilistic post-hoc framework that refines given dense attacks by significantly reducing the number of perturbed pixels.
Our framework performs adversarial attacks much faster than existing sparse attacks.
arXiv Detail & Related papers (2020-10-13T02:51:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.