Invisible Adversarial Attack against Deep Neural Networks: An Adaptive Penalization Approach

Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to adversarial examples, which would seriously threaten security-sensitive applications. Existing works synthesized the adversarial examples by perturbing the original/benign images by leveraging the \mathcal {L}_p Lp -norm...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2021-05, Vol.18 (3), p.1474-1488
Main Authors: Wang, Zhibo, Song, Mengkai, Zheng, Siyan, Zhang, Zhifei, Song, Yang, Wang, Qian
Format: Article
Language:English
Subjects:
Adversarial examples
Artificial neural networks
Atmospheric measurements
Distortion
just noticeable distortion
Neural networks
Particle measurements
perceptual similarity
Perturbation
Perturbation methods
Pixels
Redundancy
Similarity
Synthesis
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to adversarial examples, which would seriously threaten security-sensitive applications. Existing works synthesized the adversarial examples by perturbing the original/benign images by leveraging the \mathcal {L}_p Lp -norm to penalize the perturbations, which restricts the pixel-wise distance between the adversarial images and correspondingly benign images. However, they added perturbations globally to the benign images without explicitly considering their content/spacial structure, resulting in noticeable artifacts especially in those originally clean regions, e.g., sky and smooth surface. In this paper, we propose an invisible adversarial attack, which synthesizes adversarial examples that are visually indistinguishable from benign ones. We adaptively distribute the perturbation according to human sensitivity to a local stimulus in the benign image, i.e., the higher insensitivity, the more perturbation. Two types of adaptive adversarial attacks are proposed: 1) coarse-grained and 2) fine-grained. The former conducts \mathcal {L}_p Lp -norm regularized by the novel spatial constraints, which utilizes the rich information of the cluttered regions to mask perturbation. The latter, called Just Noticeable Distortion (JND)-based adversarial attack, utilizes the proposed JND_p p metric for better measuring the perceptual similarity, and adaptively sets penalty by weighting the pixel-wise perceptual redundancy of an image. We conduct extensive experiments on the MNIST, CIFAR-10 and ImageNet datasets and a comprehensive user study with 50 participants. The experimental results demonstrate that JND_p p
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2019.2929047