LaVAN: Localized and Visible Adversarial Noise
This addresses security vulnerabilities in AI systems for computer vision applications, representing an incremental advance by focusing on localized rather than full-image noise.
The paper tackles the problem of adversarial attacks on deep-learning image classifiers by generating visible but localized noise patches that cover only 2% of pixels and avoid the main object, achieving high success rates in fooling a state-of-the-art Inception v3 model.
Most works on adversarial examples for deep-learning based image classifiers use noise that, while small, covers the entire image. We explore the case where the noise is allowed to be visible but confined to a small, localized patch of the image, without covering any of the main object(s) in the image. We show that it is possible to generate localized adversarial noises that cover only 2% of the pixels in the image, none of them over the main object, and that are transferable across images and locations, and successfully fool a state-of-the-art Inception v3 model with very high success rates.