188金宝慱亚洲体育馆网址188金宝慱亚洲体育馆网址
College of Computer Science and Software Engineering, SZU

 Frequency-Driven Imperceptible Adversarial Attack on Semantic Similarity

IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2022)

 

Cheng Luo1,2,3    Qinliang Lin1,2,3    Weicheng Xie1,2,3    Bizhu Wu1,2,3    Jinheng Xie1,2,3    Linlin Shen1,2,3

1Shenzhen University    2Shenzhen Institute of Artificial Intelligence and Robotics for Society    3Guangdong Key Laboratory of Intelligent Information Processing

 

Figure 1: Comparison of the adversarial examples and perturbations generated by three different attack methods: (a) C&W, (b) Our SSA (semantic similarity attack), and (c) Our SSAH (semantic similarity attack on high-frequency components). For the visualization, we regularize the perturbation by taking its absolute value and multiplying it by 25. 

 

Abstract

Current adversarial attack research reveals the vulnerability of learning-based classifiers against carefully crafted perturbations. However, most existing attack methods have inherent limitations in cross-dataset generalization as they rely on a classification layer with a closed set of categories. Furthermore, the perturbations generated by these methods may appear in regions easily perceptible to the human visual system (HVS). To circumvent the former problem, we propose a novel algorithm that attacks semantic similarity on feature representations. In this way, we are able to fool classifiers without limiting attacks to a specific dataset. For imperceptibility, we introduce the low frequency constraint to limit perturbations within high frequency components, ensuring perceptual similarity between adversarial examples and originals. Extensive experiments on three datasets (CIFAR-10, CIFAR-100, and ImageNet-1K) and three public online platforms indicate that our attack can yield misleading and transferable adversarial examples across architectures and datasets. Additionally, visualization results and quantitative performance (in terms of four different metrics) show that the proposed algorithm generates more imperceptible perturbations than the state-of-the-art methods.

 

Figure 2: An overview of proposed SSAH. Left: Semantic Similarity Attack; Right: Low-frequency Constraint. f(·) is the mapping from an image to its embedding in representation space. Φ(·) is a shallow network that decomposes an images into different frequency components and reconstructs it using the low-frequency component.

 

Figure 3: Illustration of our image decomposition and reconstruction by wavelet transforms. An image x with complex (e.g., Part A) and smooth (e.g., Part B) contexts can be decomposed into the low-frequency component (xll) and high-frequency components (xlh, xhl, and xhh) by Discrete Wavelet Transform (DWT). The reconstructed image x has the same fundamental shape and resolution as the original image x.

 

Figure 4: Adversarial examples generated by five different attack approached on CIFAR-100.

 

Figure 5: Adversarial examples and perturbations generated by three attack approached on two high-resolution images from ImageNet-1K. This figure is best viewed in color/screen.

 

Figure 6: The 2D feature representation of the adversarial example using the t-SNE algorithm under (a) SSAH and (b) C&W. An adversarial example representation gradually updates from its original class (horse) to the selected target class (ship). The results in the iteration of 10, 15, 20, 30, and 40 are presented.

 

Figure 7: Normalized perturbations generated by SSA and SSAH in different iterations.

 

Acknowledgements

The work was supported by the National Natural Science Foundation of China under grants no. 61602315, 91959108, the Science and Technology Project of Guangdong Province under grant no. 2020A1515010707, the Science and Tech-nology Innovation Commission of Shenzhen under grant no. JCYJ20190808165203670.

 

Bibtex

@inproceedings{luo2022frequency,

title={Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity},

author={Luo, Cheng and Lin, Qinliang and Xie, Weicheng and Wu, Bizhu and Xie, Jinheng and Shen, Linlin},

booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)},

year={2022}

} 

Downloads