Towards Large yet Imperceptible Adversarial Image Perturbations with Perceptual Color Distance
This work addresses the challenge of generating stealthy adversarial attacks for image classification, which is incremental as it builds on existing methods by incorporating human color perception.
The authors tackled the problem of creating adversarial image perturbations that are both effective and visually imperceptible by using perceptual color distance instead of traditional RGB norm bounds, resulting in methods that maintain adversarial strength while improving imperceptibility and outperforming conventional approaches in robustness and transferability.
The success of image perturbations that are designed to fool image classifier is assessed in terms of both adversarial effect and visual imperceptibility. The conventional assumption on imperceptibility is that perturbations should strive for tight $L_p$-norm bounds in RGB space. In this work, we drop this assumption by pursuing an approach that exploits human color perception, and more specifically, minimizing perturbation size with respect to perceptual color distance. Our first approach, Perceptual Color distance C&W (PerC-C&W), extends the widely-used C&W approach and produces larger RGB perturbations. PerC-C&W is able to maintain adversarial strength, while contributing to imperceptibility. Our second approach, Perceptual Color distance Alternating Loss (PerC-AL), achieves the same outcome, but does so more efficiently by alternating between the classification loss and perceptual color difference when updating perturbations. Experimental evaluation shows PerC approaches outperform conventional $L_p$ approaches in terms of robustness and transferability, and also demonstrates that the PerC distance can provide added value on top of existing structure-based methods to creating image perturbations.