Demiguise Attack: Crafting Invisible Semantic Adversarial Perturbations with Perceptual Similarity
This addresses security vulnerabilities in deep neural networks for applications like image recognition, though it is incremental as it builds on existing attack methods.
The paper tackles the problem of adversarial examples being perceptible to humans and ineffective against black-box models or defenses by proposing the Demiguise Attack, which crafts photorealistic perturbations using perceptual similarity, resulting in improved fooling rates, transferability, and robustness compared to state-of-the-art methods.
Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples. Adversarial examples are malicious images with visually imperceptible perturbations. While these carefully crafted perturbations restricted with tight $\Lp$ norm bounds are small, they are still easily perceivable by humans. These perturbations also have limited success rates when attacking black-box models or models with defenses like noise reduction filters. To solve these problems, we propose Demiguise Attack, crafting ``unrestricted'' perturbations with Perceptual Similarity. Specifically, we can create powerful and photorealistic adversarial examples by manipulating semantic information based on Perceptual Similarity. Adversarial examples we generate are friendly to the human visual system (HVS), although the perturbations are of large magnitudes. We extend widely-used attacks with our approach, enhancing adversarial effectiveness impressively while contributing to imperceptibility. Extensive experiments show that the proposed method not only outperforms various state-of-the-art attacks in terms of fooling rate, transferability, and robustness against defenses but can also improve attacks effectively. In addition, we also notice that our implementation can simulate illumination and contrast changes that occur in real-world scenarios, which will contribute to exposing the blind spots of DNNs.