Adversarial Examples by Perturbing High-level Features in Intermediate Decoder Layers

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F22%3A00359626" target="_blank" >RIV/68407700:21230/22:00359626 - isvavai.cz</a>

Výsledek na webu

<a href="https://doi.org/10.5220/0010892800003116" target="_blank" >https://doi.org/10.5220/0010892800003116</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.5220/0010892800003116" target="_blank" >10.5220/0010892800003116</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Adversarial Examples by Perturbing High-level Features in Intermediate Decoder Layers

Popis výsledku v původním jazyce

We propose a novel method for creating adversarial examples. Instead of perturbing pixels, we use an encoder-decoder representation of the input image and perturb intermediate layers in the decoder. This changes the high-level features provided by the generative model. Therefore, our perturbation possesses semantic meaning, such as a longer beak or green tints. We formulate this task as an optimization problem by minimizing the Wasserstein distance between the adversarial and initial images under a misclassification constraint. We employ the projected gradient method with a simple inexact projection. Due to the projection, all iterations are feasible, and our method always generates adversarial images. We perform numerical experiments by fooling MNIST and ImageNet classifiers in both targeted and untargeted settings. We demonstrate that our adversarial images are much less vulnerable to steganographic defence techniques than pixel-based attacks. Moreover, we show that our method modifies key features such as edges and that defence techniques based on adversarial training are vulnerable to our attacks.

Název v anglickém jazyce

Adversarial Examples by Perturbing High-level Features in Intermediate Decoder Layers

Popis výsledku anglicky

We propose a novel method for creating adversarial examples. Instead of perturbing pixels, we use an encoder-decoder representation of the input image and perturb intermediate layers in the decoder. This changes the high-level features provided by the generative model. Therefore, our perturbation possesses semantic meaning, such as a longer beak or green tints. We formulate this task as an optimization problem by minimizing the Wasserstein distance between the adversarial and initial images under a misclassification constraint. We employ the projected gradient method with a simple inexact projection. Due to the projection, all iterations are feasible, and our method always generates adversarial images. We perform numerical experiments by fooling MNIST and ImageNet classifiers in both targeted and untargeted settings. We demonstrate that our adversarial images are much less vulnerable to steganographic defence techniques than pixel-based attacks. Moreover, we show that our method modifies key features such as edges and that defence techniques based on adversarial training are vulnerable to our attacks.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/EF16_019%2F0000765" target="_blank" >EF16_019/0000765: Výzkumné centrum informatiky</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2022

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

ICAART: PROCEEDINGS OF THE 14TH INTERNATIONAL CONFERENCE ON AGENTS AND ARTIFICIAL INTELLIGENCE - VOL 2

ISBN

978-989-758-547-0

ISSN

—

e-ISSN

2184-433X

Počet stran výsledku

12

Strana od-do

496-507

Název nakladatele

SciTePress - Science and Technology Publications

Místo vydání

Porto

Místo konání akce

Online Streaming

Datum konání akce

3. 3. 2022

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000774441800046