Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

RetouchUAA: Unconstrained Adversarial Attack via Image Retouching (2311.16478v1)

Published 27 Nov 2023 in cs.CV

Abstract: Deep Neural Networks (DNNs) are susceptible to adversarial examples. Conventional attacks generate controlled noise-like perturbations that fail to reflect real-world scenarios and hard to interpretable. In contrast, recent unconstrained attacks mimic natural image transformations occurring in the real world for perceptible but inconspicuous attacks, yet compromise realism due to neglect of image post-processing and uncontrolled attack direction. In this paper, we propose RetouchUAA, an unconstrained attack that exploits a real-life perturbation: image retouching styles, highlighting its potential threat to DNNs. Compared to existing attacks, RetouchUAA offers several notable advantages. Firstly, RetouchUAA excels in generating interpretable and realistic perturbations through two key designs: the image retouching attack framework and the retouching style guidance module. The former custom-designed human-interpretability retouching framework for adversarial attack by linearizing images while modelling the local processing and retouching decision-making in human retouching behaviour, provides an explicit and reasonable pipeline for understanding the robustness of DNNs against retouching. The latter guides the adversarial image towards standard retouching styles, thereby ensuring its realism. Secondly, attributed to the design of the retouching decision regularization and the persistent attack strategy, RetouchUAA also exhibits outstanding attack capability and defense robustness, posing a heavy threat to DNNs. Experiments on ImageNet and Place365 reveal that RetouchUAA achieves nearly 100\% white-box attack success against three DNNs, while achieving a better trade-off between image naturalness, transferability and defense robustness than baseline attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (53)
  1. What else can fool deep learning? addressing color constancy errors on deep neural network performance. In IEEE International Conference on Computer Vision, pages 243–252, 2019.
  2. When color constancy goes wrong: Correcting improperly white-balanced images. In IEEE Conference on Computer Vision and Pattern Recognition, pages 1535–1544, 2019.
  3. Cie xyz net: Unprocessing images for low-level computer vision tasks. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(9):4688–4700, 2022.
  4. Synthesizing robust adversarial examples. In International Conference on Machine Learning, pages 284–293, 2018.
  5. Unrestricted adversarial examples via semantic manipulation. In International Conference on Learning Representations, 2020.
  6. Learning photographic global tonal adjustment with a database of input/output image pairs. In IEEE Conference on Computer Vision and Pattern Recognition, pages 97–104, 2011.
  7. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, pages 39–57, 2017.
  8. Palette-based photo recoloring. ACM Transactions on Graphics (Proc. SIGGRAPH), 34(4), 2015.
  9. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 9185–9193, 2018.
  10. A rotation and a translation suffice: Fooling cnns with simple transformations. In arXiv preprint arXiv:1712.02779, 2017.
  11. Advhaze: Adversarial haze attack. In arXiv preprint arXiv:2104.13673, 2021.
  12. Scale-free and task-agnostic attack: Generating photo-realistic adversarial patterns with patch quilting generator. In arXiv preprint arXiv:2208.06222, 2022.
  13. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2015.
  14. Watch out! motion is blurring the vision of your deep neural networks. In Advances in Neural Information Processing Systems, pages 975–985, 2020.
  15. Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition, pages 770–778, 2016.
  16. Semantic adversarial examples. In IEEE Conference on Computer Vision and Pattern Recognition Workshops, pages 1614–1619, 2018.
  17. Searching for mobilenetv3. In Proceedings of the IEEE/CVF international conference on computer vision, pages 1314–1324, 2019.
  18. Exposure: A white-box photo post-processing framework. ACM Transactions on Graphics (TOG), 37(4):1–15, 2018.
  19. Densely connected convolutional networks. In IEEE Conference on Computer Vision and Pattern Recognition, pages 4700–4708, 2017.
  20. Ala: Naturalness-aware adversarial lightness attack. In Proceedings of the 31st ACM International Conference on Multimedia, pages 2418–2426, 2023.
  21. Categorical reparameterization with gumbel-softmax. In International Conference on Learning Representations, 2017.
  22. Geometric robustness of deep networks: analysis and improvement. In IEEE Conference on Computer Vision and Pattern Recognition, pages 4441–4449, 2018.
  23. A software platform for manipulating the camera imaging pipeline. In European Conference on Computer Vision, pages 429–444, 2016.
  24. Progressive growing of gans for improved quality, stability, and variation. In International Conference on Learning Representations, 2018.
  25. Hoki Kim. Torchattacks: A pytorch repository for adversarial attacks. In arXiv preprint arXiv:2010.01950, 2020.
  26. Adversarial examples in the physical world. In International Conference on Learning Representations, pages 99–112, 2017.
  27. Adversarial attacks and defences competition. In The NIPS’17 Competition: Building Intelligent Systems, pages 195–231, 2018.
  28. Functional adversarial attacks. In Advances in neural information processing systems, 2019.
  29. Material editing using a physically based rendering network. In IEEE International Conference on Computer Vision, pages 2261–2269, 2017.
  30. A convnet for the 2020s. In IEEE Conference on Computer Vision and Pattern Recognition, pages 11976–11986, 2022.
  31. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018.
  32. Deeplpf: Deep local parametric filters for image enhancement. In IEEE Conference on Computer Vision and Pattern Recognition, pages 1052–1059, 2020.
  33. Raw image reconstruction using a self-contained srgb-jpeg image with only 64 kb overhead. In IEEE Conference on Computer Vision and Pattern Recognition, pages 1655–1663, 2016.
  34. Diffusion models for adversarial purification. In International Conference on Machine Learning (ICML), 2022.
  35. Semanticadv: Generating adversarial examples via attribute-conditioned image editing. In European Conference on Computer Vision, pages 19–37, 2020.
  36. Adversarial diversity and hard positive generation. In IEEE Conference on Computer Vision and Pattern Recognition Workshops, pages 25–32, 2016.
  37. Colorfool: Semantic adversarial colorization. In IEEE Conference on Computer Vision and Pattern Recognition, pages 1151–1160, 2020.
  38. Transformer tracking with cyclic shifting window attention. In IEEE conference on computer vision and pattern recognition, pages 8791–8800, 2022.
  39. Intriguing properties of neural networks. In International Conference on Learning Representations, 2014.
  40. Rethinking the inception architecture for computer vision. In IEEE Conference on Computer Vision and Pattern Recognition, pages 2818–2826, 2016.
  41. Ava: Adversarial vignetting attack against visual recognition. In International Joint Conference on Artificial Intelligence, 2021.
  42. Image quality assessment: from error visibility to structural similarity regularized model. IEEE transactions on image processing, 13(4):600–612, 2004.
  43. Spatially transformed adversarial examples. In International Conference on Learning Representations, 2018.
  44. Mitigating adversarial effects through randomization. In International Conference on Learning Representations, 2018.
  45. Feature squeezing: Detecting adversarial examples in deep neural networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, 2018.
  46. A learning-to-rank approach for image color enhancement. In IEEE Conference on Computer Vision and Pattern Recognition, pages 2987–2994, 2014.
  47. Adversarial rain attack and defensive deraining for dnn perception. In arXiv preprint arXiv:2009.09205, 2022.
  48. Adversarial relighting against face recognition. In arXiv preprint arXiv:2108.07920, 2021.
  49. Adversarial color enhancement: Generating unrestricted adversarial images by optimizing a color filter. In 31st British Machine Vision Conference 2020, BMVC 2020, 2020a.
  50. Towards large yet imperceptible adversarial image perturbations with perceptual color distance. In IEEE Conference on Computer Vision and Pattern Recognition, pages 1039–1048, 2020b.
  51. Adversarial image color transformations in explicit color filter space. IEEE Transactions on Information Forensics and Security, 18:3185–3197, 2023.
  52. Shadows can be dangerous: Stealthy and effective physical-world adversarial attack by natural phenomenon. In IEEE Conference on Computer Vision and Pattern Recognition, pages 15345–15354, 2022.
  53. Places: A 10 million image database for scene recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now