Towards Imperceptible Universal Attacks on Texture Recognition
This work addresses the vulnerability of DNN-based texture recognition systems to imperceptible universal adversarial attacks, which is an incremental problem for computer vision security.
This paper explores universal adversarial attacks on deep neural networks for texture recognition, identifying that spatial domain $l_p$ norm limits are unsuitable for texture images. They propose a frequency-tuned universal attack method, achieving similar or higher white-box fooling rates while producing less perceptible perturbations compared to existing methods.
Although deep neural networks (DNNs) have been shown to be susceptible to image-agnostic adversarial attacks on natural image classification problems, the effects of such attacks on DNN-based texture recognition have yet to be explored. As part of our work, we find that limiting the perturbation's $l_p$ norm in the spatial domain may not be a suitable way to restrict the perceptibility of universal adversarial perturbations for texture images. Based on the fact that human perception is affected by local visual frequency characteristics, we propose a frequency-tuned universal attack method to compute universal perturbations in the frequency domain. Our experiments indicate that our proposed method can produce less perceptible perturbations yet with a similar or higher white-box fooling rates on various DNN texture classifiers and texture datasets as compared to existing universal attack techniques. We also demonstrate that our approach can improve the attack robustness against defended models as well as the cross-dataset transferability for texture recognition problems.