Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Adversarial Image Color Transformations in Explicit Color Filter Space (2011.06690v3)

Published 12 Nov 2020 in cs.CV, cs.CR, and cs.LG

Abstract: Deep Neural Networks have been shown to be vulnerable to adversarial images. Conventional attacks strive for indistinguishable adversarial images with strictly restricted perturbations. Recently, researchers have moved to explore distinguishable yet non-suspicious adversarial images and demonstrated that color transformation attacks are effective. In this work, we propose Adversarial Color Filter (AdvCF), a novel color transformation attack that is optimized with gradient information in the parameter space of a simple color filter. In particular, our color filter space is explicitly specified so that we are able to provide a systematic analysis of model robustness against adversarial color transformations, from both the attack and defense perspectives. In contrast, existing color transformation attacks do not offer the opportunity for systematic analysis due to the lack of such an explicit space. We further demonstrate the effectiveness of our AdvCF in fooling image classifiers and also compare it with other color transformation attacks regarding their robustness to defenses and image acceptability through an extensive user study. We also highlight the human-interpretability of AdvCF and show its superiority over the state-of-the-art human-interpretable color transformation attack on both image acceptability and efficiency. Additional results provide interesting new insights into model robustness against AdvCF in another three visual tasks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (90)
  1. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in ICLR, 2014.
  2. N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE S&P, 2017.
  3. I. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in ICLR, 2015.
  4. N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, and A. Swami, “The limitations of deep learning in adversarial settings,” in EuroS&P, 2016.
  5. C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, and A. Yuille, “Adversarial examples for semantic segmentation and object detection,” in ICCV, 2017.
  6. Y. Zhao, H. Zhu, R. Liang, Q. Shen, S. Zhang, and K. Chen, “Seeing isn’t believing: Towards more robust adversarial attack against real world object detectors,” in ACM CCS, 2019.
  7. A. Arnab, O. Miksik, and P. H. Torr, “On the robustness of semantic segmentation models to adversarial attacks,” IEEE TPAMI, 2019.
  8. Z. Liu, Z. Zhao, and M. Larson, “Who’s afraid of adversarial queries? The impact of image modifications on content-based image retrieval,” in ICMR, 2019.
  9. G. Tolias, F. Radenovic, and O. Chum, “Targeted mismatch adversarial attack: Query with a flower to retrieve the tower,” in ICCV, 2019.
  10. J. Gilmer, R. P. Adams, I. Goodfellow, D. Andersen, and G. E. Dahl, “Motivating the rules of the game for adversarial example research,” in arXiv preprint, 2018.
  11. A. Bhattad, M. J. Chong, K. Liang, B. Li, and D. A. Forsyth, “Unrestricted adversarial examples via semantic manipulation,” in ICLR, 2020.
  12. H. Hosseini and R. Poovendran, “Semantic adversarial examples,” in CVPRW, 2018.
  13. C. Laidlaw and S. Feizi, “Functional adversarial attacks,” in NeurIPS, 2019.
  14. A. S. Shamsabadi, R. Sanchez-Matilla, and A. Cavallaro, “ColorFool: Semantic adversarial colorization,” in CVPR, 2020.
  15. K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song, “Robust physical-world attacks on deep learning models,” in CVPR, 2018.
  16. A. Joshi, A. Mukherjee, S. Sarkar, and C. Hegde, “Semantic adversarial attacks: Parametric transformations that fool deep classifiers,” in ICCV, 2019.
  17. H. Qiu, C. Xiao, L. Yang, X. Yan, H. Lee, and B. Li, “Semanticadv: Generating adversarial examples via attribute-conditional image editing,” in ECCV, 2020.
  18. M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition,” in CCS, 2016.
  19. Y. Hu, H. He, C. Xu, B. Wang, and S. Lin, “Exposure: A white-box photo post-processing framework,” ACM Transactions on Graphics, vol. 37, no. 2, p. 26, 2018.
  20. R. Alaifari, G. S. Alberti, and T. Gauksson, “ADef: an iterative algorithm to construct adversarial deformations,” in ICLR, 2019.
  21. C. Laidlaw, S. Singla, and S. Feizi, “Perceptual adversarial robustness: Defense against unseen threat models,” in ICLR, 2021.
  22. F. Croce, M. Andriushchenko, V. Sehwag, E. Debenedetti, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “Robustbench: a standardized adversarial robustness benchmark,” in NeurIPS Datasets and Benchmarks Track, 2021.
  23. B. Wu, Z. Qin, and X. Yan, “Blackboxbench: A comprehensive benchmark for evaluating black-box attacks,” in https://blackboxbench.github.io/, 2022.
  24. A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,” in ICML, 2018.
  25. N. Carlini, A. Athalye, N. Papernot, W. Brendel, J. Rauber, D. Tsipras, I. Goodfellow, A. Madry, and A. Kurakin, “On evaluating adversarial robustness,” in arXiv, 2019.
  26. F. Tramer, N. Carlini, W. Brendel, and A. Madry, “On adaptive attacks to adversarial example defenses,” in NeurIPS, 2020.
  27. V. Cherepanova, M. Goldblum, H. Foley, S. Duan, J. Dickerson, G. Taylor, and T. Goldstein, “LowKey: Leveraging adversarial attacks to protect social media users from facial recognition,” in ICLR, 2021.
  28. M. Larson, Z. Liu, S. Brugman, and Z. Zhao, “Pixel privacy: Increasing image appeal while blocking automatic inference of sensitive scene information,” in MediaEval Multimedia Benchmark Workshop, 2018.
  29. A. Rajabi, R. B. Bobba, M. Rosulek, C. Wright, and W.-c. Feng, “On the (im) practicality of adversarial perturbation for image privacy,” PoPETs, 2021.
  30. Z. Zhao, Z. Liu, and M. Larson, “Adversarial color enhancement: Generating unrestricted adversarial images by optimizing a color filter,” in BMVC, 2020.
  31. A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in ICLR, 2017.
  32. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in ICLR, 2018.
  33. J. Rony, L. G. Hafemann, L. S. Oliveira, I. B. Ayed, R. Sabourin, and E. Granger, “Decoupling direction and norm for efficient gradient-based l2subscript𝑙2l_{2}italic_l start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT adversarial attacks and defenses,” in CVPR, 2019.
  34. F. Croce and M. Hein, “Sparse and imperceivable adversarial attacks,” in ICCV, 2019.
  35. Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli, “Image quality assessment: from error visibility to structural similarity,” IEEE TIP, vol. 13, no. 4, pp. 600–612, 2004.
  36. A. Rozsa, E. M. Rudd, and T. E. Boult, “Adversarial diversity and hard positive generation,” in CVPRW, 2016.
  37. B. Luo, Y. Liu, L. Wei, and Q. Xu, “Towards imperceptible and robust adversarial example attacks against neural networks,” in AAAI, 2018.
  38. H. Zhang, Y. Avrithis, T. Furon, and L. Amsaleg, “Smooth adversarial examples,” EURASIP Journal on Information Security, 2020.
  39. C. Xiao, J.-Y. Zhu, B. Li, W. He, M. Liu, and D. Song, “Spatially transformed adversarial examples,” in ICLR, 2018.
  40. C. Kanbak, S.-M. Moosavi-Dezfooli, and P. Frossard, “Geometric robustness of deep networks: analysis and improvement,” in CVPR, 2018.
  41. L. Engstrom, B. Tran, D. Tsipras, L. Schmidt, and A. Madry, “Exploring the landscape of spatial robustness,” in ICML, 2019.
  42. E. Wong, F. Schmidt, and Z. Kolter, “Wasserstein adversarial examples via projected sinkhorn iterations,” in ICML, 2019.
  43. Z. Zhao, Z. Liu, and M. Larson, “Towards large yet imperceptible adversarial image perturbations with perceptual color distance,” in CVPR, 2020.
  44. R. Zhang, J.-Y. Zhu, P. Isola, X. Geng, A. S. Lin, T. Yu, and A. A. Efros, “Real-time user-guided image colorization with learned deep priors,” ACM TOG, vol. 36, no. 4, p. 119, 2017.
  45. K. Grosse, P. Manoharan, N. Papernot, M. Backes, and P. McDaniel, “On the (statistical) detection of adversarial examples,” in arXiv preprint, 2017.
  46. X. Ma, B. Li, Y. Wang, S. M. Erfani, S. Wijewickrema, G. Schoenebeck, D. Song, M. E. Houle, and J. Bailey, “Characterizing adversarial subspaces using local intrinsic dimensionality,” in ICLR, 2018.
  47. J. H. Metzen, T. Genewein, V. Fischer, and B. Bischoff, “On detecting adversarial perturbations,” in ICLR, 2017.
  48. N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman, S. Li, L. Chen, M. E. Kounavis, and D. H. Chau, “Shield: Fast, practical defense and vaccination for deep learning using jpeg compression,” in KDD, 2018.
  49. W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting adversarial examples in deep neural networks,” in NDSS, 2018.
  50. C. Xie, J. Wang, Z. Zhang, Z. Ren, and A. Yuille, “Mitigating adversarial effects through randomization,” in ICLR, 2018.
  51. N. Carlini and D. Wagner, “Adversarial examples are not easily detected: Bypassing ten detection methods,” in AISec, 2017.
  52. H. Zhang, Y. Yu, J. Jiao, E. Xing, L. El Ghaoui, and M. Jordan, “Theoretically principled trade-off between robustness and accuracy,” in ICML, 2019.
  53. E. Wong, L. Rice, and J. Z. Kolter, “Fast is better than free: Revisiting adversarial training,” in ICLR, 2020.
  54. R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in CVPR, 2018.
  55. T. Wu, L. Tong, and Y. Vorobeychik, “Defending against physically realizable attacks on image classification,” in ICLR, 2020.
  56. M. Gharbi, J. Chen, J. T. Barron, S. W. Hasinoff, and F. Durand, “Deep bilateral learning for real-time image enhancement,” ACM TOG, vol. 36, no. 4, pp. 1–12, 2017.
  57. P. Isola, J.-Y. Zhu, T. Zhou, and A. A. Efros, “Image-to-image translation with conditional adversarial networks,” in CVPR, 2017.
  58. J.-Y. Zhu, T. Park, P. Isola, and A. A. Efros, “Unpaired image-to-image translation using cycle-consistent adversarial networks,” in ICCV, 2017.
  59. W.-T. Sun, T.-H. Chao, Y.-H. Kuo, and W. H. Hsu, “Photo filter recommendation by category-aware aesthetic learning,” IEEE TMM, vol. 19, no. 8, pp. 1870–1880, 2017.
  60. J. Choi, M. Larson, X. Li, K. Li, G. Friedland, and A. Hanjalic, “The geo-privacy bonus of popular photo enhancements,” in ICMR, 2017.
  61. Z. Wu, Z. Wu, B. Singh, and L. S. Davis, “Recognizing instagram filtered images with feature de-stylization,” in AAAI, 2020.
  62. A. Kurakin, I. Goodfellow, S. Bengio, Y. Dong, F. Liao, M. Liang, T. Pang, J. Zhu, X. Hu, C. Xie et al., “Adversarial attacks and defences competition,” in The NIPS’17 Competition: Building Intelligent Systems, 2018.
  63. A. Krizhevsky, “Learning multiple layers of features from tiny images,” 2009.
  64. C. Xie, Y. Wu, L. v. d. Maaten, A. L. Yuille, and K. He, “Feature denoising for improving adversarial robustness,” in CVPR, 2019.
  65. C. Xie and A. Yuille, “Intriguing properties of adversarial training at scale,” in ICLR, 2020.
  66. A. Shafahi, M. Najibi, M. A. Ghiasi, Z. Xu, J. Dickerson, C. Studer, L. S. Davis, G. Taylor, and T. Goldstein, “Adversarial training for free!” in NeurIPS, 2019.
  67. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking the Inception architecture for computer vision,” in CVPR, 2016.
  68. A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” in NeurIPS, 2012.
  69. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in CVPR, 2016.
  70. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” in ICLR, 2015.
  71. G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” in CVPR, 2017.
  72. Y. Liu, X. Chen, C. Liu, and D. Song, “Delving into transferable adversarial examples and black-box attacks,” in ICLR, 2017.
  73. X. Sun, G. Cheng, H. Li, L. Pei, and J. Han, “Exploring effective data for surrogate training towards black-box attack,” in CVPR, 2022.
  74. X. Sun, G. Cheng, L. Pei, and J. Han, “Query-efficient decision-based attack via sampling distribution reshaping,” Pattern Recognition, 2022.
  75. U. Ozbulak, E. T. Anzaku, W. De Neve, and A. Van Messem, “Selection of source images heavily influences the effectiveness of adversarial attacks,” in BMVC, 2021.
  76. Z. Zhao, Z. Liu, and M. Larson, “On success and simplicity: A second look at transferable targeted attacks,” in NeurIPS, 2021.
  77. C. Guo, M. Rana, M. Cisse, and L. van der Maaten, “Countering adversarial images using input transformations,” in ICLR, 2018.
  78. C. Y. Li, A. S. Shamsabadi, R. Sanchez-Matilla, R. Mazzon, and A. Cavallaro, “Scene privacy protection,” in ICASSP, 2019.
  79. R. Sanchez-Matilla, C. Y. Li, A. S. Shamsabadi, R. Mazzon, and A. Cavallaro, “Exploiting vulnerabilities of deep neural networks for privacy protection,” IEEE TMM, vol. 22, no. 7, pp. 1862–1873, 2020.
  80. B. Zhou, A. Lapedriza, A. Khosla, A. Oliva, and A. Torralba, “Places: A 10 million image database for scene recognition,” IEEE TPAMI, vol. 40, no. 6, pp. 1452–1464, 2017.
  81. X. Cheng, J. Lu, J. Feng, B. Yuan, and J. Zhou, “Scene recognition with objectness,” Pattern Recognition, vol. 74, pp. 474–487, 2018.
  82. Z. Zhao and M. Larson, “From volcano to toyshop: Adaptive discriminative region discovery for scene recognition,” in ACM MM, 2018.
  83. L.-C. Chen, G. Papandreou, F. Schroff, and H. Adam, “Rethinking atrous convolution for semantic image segmentation,” arXiv preprint, 2017.
  84. H. Zhao, J. Shi, X. Qi, X. Wang, and J. Jia, “Pyramid scene parsing network,” in CVPR, 2017.
  85. M. Everingham, S. A. Eslami, L. Van Gool, C. K. Williams, J. Winn, and A. Zisserman, “The PASCAL visual object classes challenge: A retrospective,” IJCV, vol. 111, no. 1, pp. 98–136, 2015.
  86. X. Lu, Z. Lin, X. Shen, R. Mech, and J. Z. Wang, “Deep multi-patch aggregation network for image style, aesthetics, and quality estimation,” in ICCV, 2015.
  87. L. Mai, H. Jin, and F. Liu, “Composition-preserving deep photo aesthetics assessment,” in CVPR, 2016.
  88. H. Talebi and P. Milanfar, “Nima: Neural image assessment,” IEEE TIP, vol. 27, no. 8, pp. 3998–4011, 2018.
  89. N. Murray, L. Marchesotti, and F. Perronnin, “Ava: A large-scale database for aesthetic visual analysis,” in CVPR, 2012.
  90. A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom, B. Tran, and A. Madry, “Adversarial examples are not bugs, they are features,” in NeurIPS, 2019.
Citations (9)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now