SPOOF: Simple Pixel Operations for Out-of-Distribution Fooling

• URL: http://arxiv.org/abs/2512.06185v1
• Date: Fri, 05 Dec 2025 22:05:39 GMT
• Title: SPOOF: Simple Pixel Operations for Out-of-Distribution Fooling
• Authors: Ankit Gupta, Christoph Adami, Emily Dolson,
• Abstract summary: High-confidence fooling persists even in state-of-the-art networks.<n>We introduce SPOOF, a minimalist, consistent, and more efficient black-box attack generating high-confidence fooling images.
• Score: 1.7677668899907861
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Deep neural networks (DNNs) excel across image recognition tasks, yet continue to exhibit overconfidence on inputs that bear no resemblance to natural images. Revisiting the "fooling images" work introduced by Nguyen et al. (2015), we re-implement both CPPN-based and direct-encoding-based evolutionary fooling attacks on modern architectures, including convolutional and transformer classifiers. Our re-implementation confirm that high-confidence fooling persists even in state-of-the-art networks, with transformer-based ViT-B/16 emerging as the most susceptible--achieving near-certain misclassifications with substantially fewer queries than convolution-based models. We then introduce SPOOF, a minimalist, consistent, and more efficient black-box attack generating high-confidence fooling images. Despite its simplicity, SPOOF generates unrecognizable fooling images with minimal pixel modifications and drastically reduced compute. Furthermore, retraining with fooling images as an additional class provides only partial resistance, as SPOOF continues to fool consistently with slightly higher query budgets--highlighting persistent fragility of modern deep classifiers.

Related papers

• SFTok: Bridging the Performance Gap in Discrete Tokenizers [72.9996757048065]
  We propose textbfSFTok, a discrete tokenizer that incorporates a multi-step iterative mechanism for precise reconstruction.<n>At a high compression rate of only 64 tokens per image, SFTok achieves state-of-the-art reconstruction quality on ImageNet.
  arXiv  Detail & Related papers  (2025-12-18T18:59:04Z)
• Trans-defense: Transformer-based Denoiser for Adversarial Defense with Spatial-Frequency Domain Representation [11.290034765506816]
  Deep neural networks (DNNs) are vulnerable to adversarial attacks, restricting their applications in security-critical systems.<n>We present two-phase training methods to tackle the attack: first, training the denoising network, and second, the deep classifier model.<n>We propose a novel denoising strategy that integrates both spatial and frequency domain approaches to defend against adversarial attacks on images.
  arXiv  Detail & Related papers  (2025-10-31T07:29:50Z)
• Chasing Better Deep Image Priors between Over- and Under-parameterization [63.8954152220162]
  We study a novel "lottery image prior" (LIP) by exploiting DNN inherent sparsity. LIPworks significantly outperform deep decoders under comparably compact model sizes. We also extend LIP to compressive sensing image reconstruction, where a pre-trained GAN generator is used as the prior.
  arXiv  Detail & Related papers  (2024-10-31T17:49:44Z)
• Distance Weighted Trans Network for Image Completion [52.318730994423106]
  We propose a new architecture that relies on Distance-based Weighted Transformer (DWT) to better understand the relationships between an image's components. CNNs are used to augment the local texture information of coarse priors. DWT blocks are used to recover certain coarse textures and coherent visual structures.
  arXiv  Detail & Related papers  (2023-10-11T12:46:11Z)
• On the unreasonable vulnerability of transformers for image restoration -- and an easy fix [16.927916090724363]
  We investigate whether the improved adversarial robustness of ViTs extends to image restoration. We consider the recently proposed Restormer model, as well as NAFNet and the "Baseline network" Our experiments are performed on real-world images from the GoPro dataset for image deblurring.
  arXiv  Detail & Related papers  (2023-07-25T23:09:05Z)
• Restormer: Efficient Transformer for High-Resolution Image Restoration [118.9617735769827]
  convolutional neural networks (CNNs) perform well at learning generalizable image priors from large-scale data. Transformers have shown significant performance gains on natural language and high-level vision tasks. Our model, named Restoration Transformer (Restormer), achieves state-of-the-art results on several image restoration tasks.
  arXiv  Detail & Related papers  (2021-11-18T18:59:10Z)
• Less is More: Pay Less Attention in Vision Transformers [61.05787583247392]
  Less attention vIsion Transformer builds upon the fact that convolutions, fully-connected layers, and self-attentions have almost equivalent mathematical expressions for processing image patch sequences. The proposed LIT achieves promising performance on image recognition tasks, including image classification, object detection and instance segmentation.
  arXiv  Detail & Related papers  (2021-05-29T05:26:07Z)
• Defending Adversarial Examples via DNN Bottleneck Reinforcement [20.08619981108837]
  This paper presents a reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks. By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation. In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network.
  arXiv  Detail & Related papers  (2020-08-12T11:02:01Z)
• Image Fine-grained Inpainting [89.17316318927621]
  We present a one-stage model that utilizes dense combinations of dilated convolutions to obtain larger and more effective receptive fields. To better train this efficient generator, except for frequently-used VGG feature matching loss, we design a novel self-guided regression loss. We also employ a discriminator with local and global branches to ensure local-global contents consistency.
  arXiv  Detail & Related papers  (2020-02-07T03:45:25Z)
• A simple way to make neural networks robust against diverse image corruptions [29.225922892332342]
  We show that a simple but properly tuned training with additive Gaussian and Speckle noise generalizes surprisingly well to unseen corruptions. An adversarial training of the recognition model against uncorrelated worst-case noise leads to an additional increase in performance.
  arXiv  Detail & Related papers  (2020-01-16T20:10:25Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.