WaveTransform: Crafting Adversarial Examples via Input Decomposition
This addresses the problem of adversarial vulnerability in CNNs for security applications, but it is incremental as it builds on existing frequency-based attack methods.
The paper tackles the problem of creating adversarial examples by decomposing images into frequency subbands using wavelet decomposition, corrupting them, and constructing attacks. Experiments show the attack is effective against defense algorithms and transferable across CNNs, with specific performance gains reported in robustness tests.
Frequency spectrum has played a significant role in learning unique and discriminating features for object recognition. Both low and high frequency information present in images have been extracted and learnt by a host of representation learning techniques, including deep learning. Inspired by this observation, we introduce a novel class of adversarial attacks, namely `WaveTransform', that creates adversarial noise corresponding to low-frequency and high-frequency subbands, separately (or in combination). The frequency subbands are analyzed using wavelet decomposition; the subbands are corrupted and then used to construct an adversarial example. Experiments are performed using multiple databases and CNN models to establish the effectiveness of the proposed WaveTransform attack and analyze the importance of a particular frequency component. The robustness of the proposed attack is also evaluated through its transferability and resiliency against a recent adversarial defense algorithm. Experiments show that the proposed attack is effective against the defense algorithm and is also transferable across CNNs.