Frequency-Tuned Universal Adversarial Attacks
This addresses the challenge of generating imperceptible yet effective adversarial attacks for image classification systems, representing an incremental improvement over existing universal attack techniques.
The paper tackles the problem of creating universal adversarial perturbations for CNNs by proposing a frequency-tuned method that uses JND thresholds to balance perceivability and effectiveness, achieving cutting-edge fooling rates in both white-box and black-box attacks.
Researchers have shown that the predictions of a convolutional neural network (CNN) for an image set can be severely distorted by one single image-agnostic perturbation, or universal perturbation, usually with an empirically fixed threshold in the spatial domain to restrict its perceivability. However, by considering the human perception, we propose to adopt JND thresholds to guide the perceivability of universal adversarial perturbations. Based on this, we propose a frequency-tuned universal attack method to compute universal perturbations and show that our method can realize a good balance between perceivability and effectiveness in terms of fooling rate by adapting the perturbations to the local frequency content. Compared with existing universal adversarial attack techniques, our frequency-tuned attack method can achieve cutting-edge quantitative results. We demonstrate that our approach can significantly improve the performance of the baseline on both white-box and black-box attacks.