The Effect of Class Definitions on the Transferability of Adversarial Attacks Against Forensic CNNs

• URL: http://arxiv.org/abs/2101.11081v1
• Date: Tue, 26 Jan 2021 20:59:37 GMT
• Title: The Effect of Class Definitions on the Transferability of Adversarial Attacks Against Forensic CNNs
• Authors: Xinwei Zhao and Matthew C. Stamm
• Abstract summary: We show that adversarial attacks against CNNs trained to identify image manipulation fail to transfer to CNNs whose only difference is in the class definitions. This has important implications for the future design of forensic CNNs that are robust to adversarial and anti-forensic attacks.
• Score: 24.809185168969066
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In recent years, convolutional neural networks (CNNs) have been widely used by researchers to perform forensic tasks such as image tampering detection. At the same time, adversarial attacks have been developed that are capable of fooling CNN-based classifiers. Understanding the transferability of adversarial attacks, i.e. an attacks ability to attack a different CNN than the one it was trained against, has important implications for designing CNNs that are resistant to attacks. While attacks on object recognition CNNs are believed to be transferrable, recent work by Barni et al. has shown that attacks on forensic CNNs have difficulty transferring to other CNN architectures or CNNs trained using different datasets. In this paper, we demonstrate that adversarial attacks on forensic CNNs are even less transferrable than previously thought even between virtually identical CNN architectures! We show that several common adversarial attacks against CNNs trained to identify image manipulation fail to transfer to CNNs whose only difference is in the class definitions (i.e. the same CNN architectures trained using the same data). We note that all formulations of class definitions contain the unaltered class. This has important implications for the future design of forensic CNNs that are robust to adversarial and anti-forensic attacks.

Related papers

• A Neurosymbolic Framework for Bias Correction in Convolutional Neural Networks [2.249916681499244]
  We introduce a neurosymbolic framework called NeSyBiCor for bias correction in a trained CNN. We show that our framework successfully corrects the biases of CNNs trained with subsets of classes from the "Places" dataset.
  arXiv  Detail & Related papers  (2024-05-24T19:09:53Z)
• Exploring Adversarial Examples and Adversarial Robustness of Convolutional Neural Networks by Mutual Information [44.841339443764696]
  This work investigates similarities and differences between two types of convolutional neural networks (CNNs) in information extraction. The reason why adversarial examples mislead CNNs may be that they contain more texture-based information about other categories. Normally trained CNNs tend to extract texture-based information from the inputs, while adversarially trained models prefer to shape-based information.
  arXiv  Detail & Related papers  (2022-07-12T13:25:42Z)
• Deeply Explain CNN via Hierarchical Decomposition [75.01251659472584]
  In computer vision, some attribution methods for explaining CNNs attempt to study how the intermediate features affect the network prediction. This paper introduces a hierarchical decomposition framework to explain CNN's decision-making process in a top-down manner.
  arXiv  Detail & Related papers  (2022-01-23T07:56:04Z)
• BreakingBED -- Breaking Binary and Efficient Deep Neural Networks by Adversarial Attacks [65.2021953284622]
  We study robustness of CNNs against white-box and black-box adversarial attacks. Results are shown for distilled CNNs, agent-based state-of-the-art pruned models, and binarized neural networks.
  arXiv  Detail & Related papers  (2021-03-14T20:43:19Z)
• A Transferable Anti-Forensic Attack on Forensic CNNs Using A Generative Adversarial Network [24.032025811564814]
  convolutional neural networks (CNNs) have become widely used in multimedia forensics. Anti-forensic attacks have been developed to fool these CNN-based forensic algorithms. We propose a new anti-forensic attack framework designed to remove forensic traces left by a variety of manipulation operations.
  arXiv  Detail & Related papers  (2021-01-23T19:31:59Z)
• Exploiting Vulnerability of Pooling in Convolutional Neural Networks by Strict Layer-Output Manipulation for Adversarial Attacks [7.540176446791261]
  Convolutional neural networks (CNN) have been more and more applied in mobile robotics such as intelligent vehicles. Security of CNNs in robotics applications is an important issue, for which potential adversarial attacks on CNNs are worth research. In this paper, we conduct adversarial attacks on CNNs from the perspective of network structure by investigating and exploiting the vulnerability of pooling.
  arXiv  Detail & Related papers  (2020-12-21T15:18:41Z)
• Color Channel Perturbation Attacks for Fooling Convolutional Neural Networks and A Defense Against Such Attacks [16.431689066281265]
  The Conalvolutional Neural Networks (CNNs) have emerged as a powerful data dependent hierarchical feature extraction method. It is observed that the network overfits the training samples very easily. We propose a Color Channel Perturbation (CCP) attack to fool the CNNs.
  arXiv  Detail & Related papers  (2020-12-20T11:35:29Z)
• Shape Defense Against Adversarial Attacks [47.64219291655723]
  Humans rely heavily on shape information to recognize objects. Conversely, convolutional neural networks (CNNs) are biased more towards texture. Here, we explore how shape bias can be incorporated into CNNs to improve their robustness. Two algorithms are proposed, based on the observation that edges are invariant to moderate imperceptible perturbations.
  arXiv  Detail & Related papers  (2020-08-31T03:23:59Z)
• Adversarial Fooling Beyond "Flipping the Label" [54.23547006072598]
  CNNs show near human or better than human performance in many critical tasks. These attacks are potentially dangerous in real-life deployments. We present a comprehensive analysis of several important adversarial attacks over a set of distinct CNN architectures.
  arXiv  Detail & Related papers  (2020-04-27T13:21:03Z)
• Transferable Perturbations of Deep Feature Distributions [102.94094966908916]
  This work presents a new adversarial attack based on the modeling and exploitation of class-wise and layer-wise deep feature distributions. We achieve state-of-the-art targeted blackbox transfer-based attack results for undefended ImageNet models.
  arXiv  Detail & Related papers  (2020-04-27T00:32:25Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.