SSTA: Salient Spatially Transformed Attack
This addresses security risks for AI models in real-world applications by enhancing the stealthiness of adversarial attacks, though it is incremental as it builds on existing spatial transformation methods.
The paper tackles the problem of adversarial attacks on deep neural networks being easily detectable by humans due to noise-based methods, and proposes SSTA to craft imperceptible adversarial examples by applying smooth spatial transformations to critical image areas, achieving a 100% attack success rate while improving stealthiness.
Extensive studies have demonstrated that deep neural networks (DNNs) are vulnerable to adversarial attacks, which brings a huge security risk to the further application of DNNs, especially for the AI models developed in the real world. Despite the significant progress that has been made recently, existing attack methods still suffer from the unsatisfactory performance of escaping from being detected by naked human eyes due to the formulation of adversarial example (AE) heavily relying on a noise-adding manner. Such mentioned challenges will significantly increase the risk of exposure and result in an attack to be failed. Therefore, in this paper, we propose the Salient Spatially Transformed Attack (SSTA), a novel framework to craft imperceptible AEs, which enhance the stealthiness of AEs by estimating a smooth spatial transform metric on a most critical area to generate AEs instead of adding external noise to the whole image. Compared to state-of-the-art baselines, extensive experiments indicated that SSTA could effectively improve the imperceptibility of the AEs while maintaining a 100\% attack success rate.