TY - JOUR
T1 - Improving the invisibility of adversarial examples with perceptually adaptive perturbation
AU - Zhang, Yaoyuan
AU - Tan, Yu an
AU - Sun, Haipeng
AU - Zhao, Yuhang
AU - Zhang, Quanxing
AU - Li, Yuanzhang
N1 - Publisher Copyright:
© 2023 Elsevier Inc.
PY - 2023/7
Y1 - 2023/7
N2 - Deep neural networks (DNNs) are vulnerable to adversarial examples generated by adding subtle perturbations to benign inputs. While these perturbations are somewhat small due to the Lp norm constraint, they are still easily spotted by human eyes. This paper proposes Perceptual Sensitive Attack (PS Attack) to address this flaw with a perceptually adaptive scheme. We add Just Noticeable Difference (JND) as prior information into adversarial attacks, making image changes in areas that are insensitive to the human eyes. By integrating the JND matrix into the Lp norm, PS Attack projects perturbations onto the JND space around clean data, resulting in more imperceivable adversarial perturbations. PS Attack also mitigates the trade-off between the imperceptibility and transferability of adversarial images by adjusting a visual coefficient. Extensive experiments manifest that combining PS attacks with state-of-the-art black-box approaches can significantly promote the naturalness of adversarial examples while maintaining their attack ability. Compared to the state-of-the-art transferable attacks, our attacks reduce LPIPS by 8% on average when attacking typically-trained and defense models.
AB - Deep neural networks (DNNs) are vulnerable to adversarial examples generated by adding subtle perturbations to benign inputs. While these perturbations are somewhat small due to the Lp norm constraint, they are still easily spotted by human eyes. This paper proposes Perceptual Sensitive Attack (PS Attack) to address this flaw with a perceptually adaptive scheme. We add Just Noticeable Difference (JND) as prior information into adversarial attacks, making image changes in areas that are insensitive to the human eyes. By integrating the JND matrix into the Lp norm, PS Attack projects perturbations onto the JND space around clean data, resulting in more imperceivable adversarial perturbations. PS Attack also mitigates the trade-off between the imperceptibility and transferability of adversarial images by adjusting a visual coefficient. Extensive experiments manifest that combining PS attacks with state-of-the-art black-box approaches can significantly promote the naturalness of adversarial examples while maintaining their attack ability. Compared to the state-of-the-art transferable attacks, our attacks reduce LPIPS by 8% on average when attacking typically-trained and defense models.
KW - Adversarial examples
KW - Deep neural networks
KW - Image classification
KW - Just noticeable difference
KW - Perceptually adaptive
UR - http://www.scopus.com/inward/record.url?scp=85151254958&partnerID=8YFLogxK
U2 - 10.1016/j.ins.2023.03.139
DO - 10.1016/j.ins.2023.03.139
M3 - Article
AN - SCOPUS:85151254958
SN - 0020-0255
VL - 635
SP - 126
EP - 137
JO - Information Sciences
JF - Information Sciences
ER -