Perceptually Constrained Adversarial Attacks
This work addresses the issue of evaluating adversarial attacks and defenses in a perceptually meaningful way for image classification, representing an incremental improvement by replacing Lp norms with SSIM.
The authors tackled the problem that standard Lp norms fail to capture perceptual quality in adversarial attacks for image classification, proposing SSIM-constrained attacks that break state-of-the-art adversarially trained classifiers on MNIST and CIFAR-10 with similar or larger success rates than elastic net attacks while providing better perceptual quality.
Motivated by previous observations that the usually applied $L_p$ norms ($p=1,2,\infty$) do not capture the perceptual quality of adversarial examples in image classification, we propose to replace these norms with the structural similarity index (SSIM) measure, which was developed originally to measure the perceptual similarity of images. Through extensive experiments with adversarially trained classifiers for MNIST and CIFAR-10, we demonstrate that our SSIM-constrained adversarial attacks can break state-of-the-art adversarially trained classifiers and achieve similar or larger success rate than the elastic net attack, while consistently providing adversarial images of better perceptual quality. Utilizing SSIM to automatically identify and disallow adversarial images of low quality, we evaluate the performance of several defense schemes in a perceptually much more meaningful way than was done previously in the literature.