Universal Adversarial Perturbations and Image Spam Classifiers
- URL: http://arxiv.org/abs/2103.05469v1
- Date: Sun, 7 Mar 2021 14:36:02 GMT
- Title: Universal Adversarial Perturbations and Image Spam Classifiers
- Authors: Andy Phung and Mark Stamp
- Abstract summary: Image spam is email that has been embedded in an image.
Modern deep learning-based classifiers perform well in detecting typical image spam.
We propose and analyze a new transformation-based adversarial attack that enables us to create tailored "natural perturbations" in image spam.
- Score: 4.111899441919165
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: As the name suggests, image spam is spam email that has been embedded in an
image. Image spam was developed in an effort to evade text-based filters.
Modern deep learning-based classifiers perform well in detecting typical image
spam that is seen in the wild. In this chapter, we evaluate numerous
adversarial techniques for the purpose of attacking deep learning-based image
spam classifiers. Of the techniques tested, we find that universal perturbation
performs best. Using universal adversarial perturbations, we propose and
analyze a new transformation-based adversarial attack that enables us to create
tailored "natural perturbations" in image spam. The resulting spam images
benefit from both the presence of concentrated natural features and a universal
adversarial perturbation. We show that the proposed technique outperforms
existing adversarial attacks in terms of accuracy reduction, computation time
per example, and perturbation distance. We apply our technique to create a
dataset of adversarial spam images, which can serve as a challenge dataset for
future research in image spam detection.
Related papers
- Adversarial Purification of Information Masking [8.253834429336656]
Adrial attacks generate minuscule, imperceptible perturbations to images to deceive neural networks.
Counteracting these, adversarial purification methods seek to transform adversarial input samples into clean output images to defend against adversarial attacks.
We propose a novel adversarial purification approach named Information Mask Purification (IMPure) to extensively eliminate adversarial perturbations.
arXiv Detail & Related papers (2023-11-26T15:50:19Z) - IRAD: Implicit Representation-driven Image Resampling against Adversarial Attacks [16.577595936609665]
We introduce a novel approach to counter adversarial attacks, namely, image resampling.
Image resampling transforms a discrete image into a new one, simulating the process of scene recapturing or rerendering as specified by a geometrical transformation.
We show that our method significantly enhances the adversarial robustness of diverse deep models against various attacks while maintaining high accuracy on clean images.
arXiv Detail & Related papers (2023-10-18T11:19:32Z) - Dual Adversarial Resilience for Collaborating Robust Underwater Image
Enhancement and Perception [54.672052775549]
In this work, we introduce a collaborative adversarial resilience network, dubbed CARNet, for underwater image enhancement and subsequent detection tasks.
We propose a synchronized attack training strategy with both visual-driven and perception-driven attacks enabling the network to discern and remove various types of attacks.
Experiments demonstrate that the proposed method outputs visually appealing enhancement images and perform averagely 6.71% higher detection mAP than state-of-the-art methods.
arXiv Detail & Related papers (2023-09-03T06:52:05Z) - Enhancing the Self-Universality for Transferable Targeted Attacks [88.6081640779354]
Our new attack method is proposed based on the observation that highly universal adversarial perturbations tend to be more transferable for targeted attacks.
Instead of optimizing the perturbations on different images, optimizing on different regions to achieve self-universality can get rid of using extra data.
With the feature similarity loss, our method makes the features from adversarial perturbations to be more dominant than that of benign images.
arXiv Detail & Related papers (2022-09-08T11:21:26Z) - Restricted Black-box Adversarial Attack Against DeepFake Face Swapping [70.82017781235535]
We introduce a practical adversarial attack that does not require any queries to the facial image forgery model.
Our method is built on a substitute model persuing for face reconstruction and then transfers adversarial examples from the substitute model directly to inaccessible black-box DeepFake models.
arXiv Detail & Related papers (2022-04-26T14:36:06Z) - Convolutional Neural Networks for Image Spam Detection [4.817429789586127]
Spam can be defined as unsolicited bulk email.
In an effort to evade text-based filters, spammers sometimes embed spam text in an image, which is referred to as image spam.
We apply convolutional neural networks (CNN) to this problem, we compare the results obtained using CNNs to other machine learning techniques, and we compare our results to previous related work.
arXiv Detail & Related papers (2022-04-02T15:10:44Z) - Exploring Frequency Adversarial Attacks for Face Forgery Detection [59.10415109589605]
We propose a frequency adversarial attack method against face forgery detectors.
Inspired by the idea of meta-learning, we also propose a hybrid adversarial attack that performs attacks in both the spatial and frequency domains.
arXiv Detail & Related papers (2022-03-29T15:34:13Z) - Error Diffusion Halftoning Against Adversarial Examples [85.11649974840758]
Adversarial examples contain carefully crafted perturbations that can fool deep neural networks into making wrong predictions.
We propose a new image transformation defense based on error diffusion halftoning, and combine it with adversarial training to defend against adversarial examples.
arXiv Detail & Related papers (2021-01-23T07:55:02Z) - DeepCapture: Image Spam Detection Using Deep Learning and Data
Augmentation [16.488574089293326]
We propose a new image spam email detection tool called DeepCapture using a convolutional neural network (CNN) model.
DeepCapture is capable of achieving an F1-score of 88%, which has a 6% improvement over the best existing spam detection model CNN-SVM.
arXiv Detail & Related papers (2020-06-16T02:50:04Z) - A Black-box Adversarial Attack Strategy with Adjustable Sparsity and
Generalizability for Deep Image Classifiers [16.951363298896638]
Black-box adversarial perturbations are more practical for real-world applications.
We propose the DEceit algorithm for constructing effective universal pixel-restricted perturbations.
We find that perturbing only about 10% of the pixels in an image using DEceit achieves a commendable and highly transferable Fooling Rate.
arXiv Detail & Related papers (2020-04-24T19:42:00Z) - Towards Achieving Adversarial Robustness by Enforcing Feature
Consistency Across Bit Planes [51.31334977346847]
We train networks to form coarse impressions based on the information in higher bit planes, and use the lower bit planes only to refine their prediction.
We demonstrate that, by imposing consistency on the representations learned across differently quantized images, the adversarial robustness of networks improves significantly.
arXiv Detail & Related papers (2020-04-01T09:31:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.