×

Black-box adversarial attacks by manipulating image attributes. (English) Zbl 1486.94019

Summary: Although there exist various adversarial attacking methods, most of them are performed by generating adversarial noises. Inspired by the fact that people usually set different camera parameters to obtain diverse visual styles when taking a picture, we propose the adversarial attributes, which generate adversarial examples by manipulating the image attributes like brightness, contrast, sharpness, chroma to simulate the imaging process. This task is accomplished under the black-box setting, where only the predicted probabilities are known. We formulate this process into an optimization problem. After efficiently solving this problem, the optimal adversarial attributes are obtained with limited queries. To guarantee the realistic effect of adversarial examples, we bound the attribute changes using \(L_p\) norm versus different \(p\) values. Besides, we also give a formal explanation for the adversarial attributes based on the linear nature of Deep Neural Networks (DNNs). Extensive experiments are conducted on two public datasets, including CIFAR-10 and ImageNet with respective to four representative DNNs like VGG16, AlexNet, Inception v3 and Resnet50. The results show that at most 97.79% of images in CIFAR-10 test dataset and 98.01% of the ImageNet images can be successfully perturbed to at least one wrong class with only \(\leqslant 300\) queries per image on average.

MSC:

94A08 Image processing (compression, reconstruction, etc.) in information and communication theory
94A60 Cryptography
68T07 Artificial neural networks and deep learning
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] B.S. Vivek, R. Venkatesh Babu. Single-step adversarial training with dropout scheduling, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 947-956, June 2020.
[2] Nicholas Carlini, David Wagner. Towards evaluating the robustness of neural networks, in: 2017 IEEE Symposium on Security and Privacy (SP), pages 39-57. IEEE, 2017.
[3] Lixi Deng, Jingjing Chen, Qianru Sun, Xiangnan He, Sheng Tang, Zhaoyan Ming, Yongdong Zhang, Tat Seng Chua. Mixed-dish recognition with contextual relation networks, in: Proceedings of the 27th ACM International Conference on Multimedia, pages 112-120. ACM, 2019.
[4] Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, Jianguo Li. Boosting adversarial attacks with momentum, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pages 9185-9193, 2018.
[5] Gintare Karolina Dziugaite, Zoubin Ghahramani, Daniel M Roy. A study of the effect of jpg compression on adversarial images. preprint arXiv:1608.00853, 2016.
[6] Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, Dawn Song. Robust physical-world attacks on deep learning visual classification, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 1625-1634, 2018.
[7] Ian J Goodfellow, Jonathon Shlens, Christian Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
[8] Haeberli, P.; Voorhies, D., Image processing by linear interpolation and extrapolation, IRIS Universe Magazine, 28, 8-9 (1994)
[9] He, Kaiming; Zhang, Xiangyu; Ren, Shaoqing; Sun, Jian, Deep residual learning for image recognition, (Proceedings of the IEEE conference on computer vision and pattern recognition (2016)), 770-778
[10] Jia, Xiaojun; Wei, Xingxing; Cao, Xiaochun; Foroosh, Hassan, Comdefend: An efficient image compression model to defend adversarial examples, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2019)), 6084-6092
[11] Stepan Komkov, Aleksandr Petiushko. Advhat: Real-world adversarial attack on arcface face id system. arXiv preprint arXiv:1908.08705, 2019.
[12] Alex Krizhevsky, Ilya Sutskever, Geoffrey E. Hinton. Imagenet classification with deep convolutional neural networks, in: Advances in neural information processing systems, pages 1097-1105, 2012.
[13] Shasha Li, Ajaya Neupane, Sujoy Paul, Chengyu Song, Srikanth V. Krishnamurthy, Amit K. Roy Chowdhury, Ananthram Swami. Adversarial perturbations against real-time video classification systems. arXiv preprint arXiv:1807.00458, 2018.
[14] Liao, Fangzhou; Liang, Ming; Dong, Yinpeng; Pang, Tianyu; Xiaolin, Hu.; Zhu, Jun, Defense against adversarial attacks using high-level representation guided denoiser, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2018)), 1778-1787
[15] Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, Pascal Frossard. Universal adversarial perturbations, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1765-1773, 2017. · Zbl 1462.62383
[16] Moosavi-Dezfooli, Seyed-Mohsen; Fawzi, Alhussein; Frossard, Pascal, Deepfool: a simple and accurate method to fool deep neural networks, (Proceedings of the IEEE conference on computer vision and pattern recognition (2016)), 2574-2582
[17] Tianyu Pang, Chao Du, Jun Zhu. Robust deep learning via reverse cross-entropy training and thresholding test. arXiv preprint arXiv:1706.00633, 3, 2017.
[18] Haonan Qiu, Chaowei Xiao, Lei Yang, Xinchen Yan, Honglak Lee, Bo Li. Semanticadv: Generating adversarial examples via attribute-conditional image editing. CoRR, abs/1906.07927, 2019.
[19] Selvaraju, Ramprasaath R.; Cogswell, Michael; Das, Abhishek; Vedantam, Ramakrishna; Parikh, Devi; Batra, Dhruv, Grad-cam: Visual explanations from deep networks via gradient-based localization, (Proceedings of the IEEE International Conference on Computer Vision (2017)), 618-626
[20] Yucheng Shi, Yahong Han, Qi Tian. Polishing decision-based adversarial noise with a customized sampling, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 1027-1035, June 2020.
[21] Shi, Yucheng; Han, Yahong; Zhang, Quanxin; Kuang, Xiaohui, Adaptive iterative attack towards explainable adversarial robustness, Pattern Recogn., 105, Article 107309 pp. (2020)
[22] Yucheng Shi, Siyu Wang, Yahong Han. Curls & whey: Boosting black-box adversarial attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 6512-6520, June 2019.
[23] Karen Simonyan, Andrew Zisserman. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556, 2014.
[24] Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, Nate Kushman. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. arXiv preprint arXiv:1710.10766, 2017.
[25] Storn, Rainer; Price, Kenneth, Differential evolution-a simple and efficient heuristic for global optimization over continuous spaces, J. Global Optim., 11, 4, 341-359 (1997) · Zbl 0888.90135
[26] Jiawei, Su.; Vargas, Danilo Vasconcellos; Sakurai, Kouichi, One pixel attack for fooling deep neural networks, IEEE Trans. Evol. Comput., 23, 5, 828-841 (2019)
[27] Szegedy, C.; Vanhoucke, V.; Ioffe, S.; Shlens, J.; Wojna, Z., Rethinking the inception architecture for computer vision, (2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2016)), 2818-2826
[28] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, Rob Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
[29] Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204, 2017.
[30] Xingxing Wei, Siyuan Liang, Xiaochun Cao, Jun Zhu. Transferable adversarial attacks for image and video object detection. arXiv preprint arXiv:1811.12641, 2018.
[31] Xingxing Wei, Jun Zhu, Sitong Feng, Hang Su. Video-to-video translation with global temporal consistency, in: 2018 ACM Multimedia Conference on Multimedia Conference, pages 18-25. ACM, 2018.
[32] Wei, Xingxing; Zhu, Jun; Yuan, Sh.a.; Hang, Su., Sparse adversarial perturbations for videos, Proc. AAAI Conf. Artif. Intell., 33, 8973-8980 (2019)
[33] Chaowei Xiao, Bo Li, Jun-Yan Zhu, Warren He, Mingyan Liu, Dawn Song. Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610, 2018.
[34] Weilin Xu, David Evans, Yanjun Qi. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155, 2017.
[35] Wanting Yu, Hongyi Yu, Lingyun Jiang, Mengli Zhang, Kai Qiao, Linyuan Wang, Bin Yan. Had-gan: A human-perception auxiliary defense gan model to defend adversarial examples. arXiv preprint arXiv:1909.07558, 2019.
[36] Zellers, Rowan; Bisk, Yonatan; Farhadi, Ali; Choi, Yejin, From recognition to cognition: Visual commonsense reasoning, (Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2019)), 6720-6731
[37] Zhengyu Zhao, Zhuoran Liu, Martha Larson. Towards large yet imperceptible adversarial image perturbations with perceptual color distance, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 1039-1048, June 2020.
[38] Haizhong Zheng, Ziqi Zhang, Juncheng Gu, Honglak Lee, Atul Prakash. Efficient adversarial training with transferable adversarial examples, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 1181-1190, June 2020.
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.