Adversarial image generation by spatial transformation in perceptual colorspaces

Deep neural networks are known to be vulnerable to adversarial perturbations. The amount of these perturbations are generally quantified using Lp metrics, such as L0, L2 and L∞. However, even when the measured perturbations are small, they tend to be noticeable by human observers since Lp distance m...

Full description

Saved in:
Bibliographic Details
Published in:Pattern recognition letters 2023-10, Vol.174, p.92-98
Main Authors: Aydin, Ayberk, Temizel, Alptekin
Format: Article
Language:English
Subjects:
Adversarial examples
Deep learning
Perceptual colorspace
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Deep neural networks are known to be vulnerable to adversarial perturbations. The amount of these perturbations are generally quantified using Lp metrics, such as L0, L2 and L∞. However, even when the measured perturbations are small, they tend to be noticeable by human observers since Lp distance metrics are not representative of human perception. On the other hand, humans are less sensitive to changes in colorspace. In addition, pixel shifts in a constrained neighborhood are hard to notice. Motivated by these observations, we propose a method that creates adversarial examples by applying spatial transformations, which creates adversarial examples by changing the pixel locations independently to chrominance channels of perceptual colorspaces such as YCbCr and CIELAB, instead of making an additive perturbation or manipulating pixel values directly. In a targeted white-box attack setting, the proposed method is able to obtain competitive fooling rates with very high confidence. The experimental evaluations show that the proposed method has favorable results in terms of approximate perceptual distance between benign and adversarially generated images. The source code is publicly available at https://github.com/ayberkydn/stadv-torch. •Local spatial information loss in chrominance channels does not produce perceptible changes.•Spatial transformation in chrominance channels can generate adversarial examples with high perceptual quality scores.•Spatial transformation in chrominance channels with small magnitude generates imperceptible adversarial examples.
ISSN:0167-8655
1872-7344
DOI:10.1016/j.patrec.2023.09.003