Preprint manuscript No. (will be inserted by the editor) On Procedural Adversarial Noise Attack And Defense Jun Yan, Xiaoyang Deng, Huilin Yin, Wancheng Ge Received: date / Accepted: date Abstract realize the cross-model and cross-data attack effect. We provide a detailed empirical study to Deep Neural Networks (DNNs) are vulnerable validate the effectiveness of our method. In the to adversarial examples which would inveigle attack experiments, the results of our proposed neural networks to make prediction errors with methods surpass the state-of-the-art methods of small perturbations on the input images. However, procedural adversarial noise attack, black-box most of the proposed attacks depend on specific attack, and universal adversarial perturbation models and data. Researchers have been devoted attack on the ImageNet dataset and the CIFAR-10 to promoting the study on universal adversarial dataset. Moreover, before our work, there is no perturbations (UAPs) which have little prior discussion about the defense on the procedural knowledge on data distributions. Procedural adversarial noise attacks. Therefore, we evaluate adversarial noise attack is a data-independent the denoising-based defense methods and other universal perturbation generation method. Adding state-of-the-art defense methods on ImageNet the texture pattern with the shading based on the and CIFAR-10. The result of the defense ex- rendering technology to the original image achieves periment verifies some theoretical analysis of the deceit on the neural networks without changing robustness in deep learning. Code is available at the visual semantic representations. Similar to https://github.com/momo1986/adversarial_example_simplex_worley. the disturbance of shading on human eyes, the Keywords Adversarial examples universal shading generated by procedural noise can also · fool the neural networks. Previous research on adversarial perturbations black-box attack procedural adversarial noise· robustness · procedural adversarial noise provides a baseline, · however, the performance of attack can be pro- moted with a more aesthetic rendering effect. In this paper, we propose two universal adversarial perturbation (UAP) generation methods based 1 Introduction on procedural noise functions: Simplex noise and Worley noise. The UAPs with such solid textures The last decade is an era of deep learning’s renais- sance. In the field of computer vision, Convolutional Jun Yan Neural Networks (CNNs) (He et al., 2016, Hu et al., Department of Information and Communication Engineer- arXiv:2108.04409v2 [cs.LG] 27 Aug 2021 ing at Tongji University, Shanghai, China 2018, Ioffe and Szegedy, 2015, Krizhevsky et al., E-mail: [email protected] 2012, Lin et al., 2014, Simonyan and Zisserman, 2015, Xiaoyang Deng Szegedy et al., 2015, 2016, 2017) have been widely Department of Control Science and Engineering at Tongji used in real applications related to visual percep- University, Shanghai, China tion and cognition. Using automated machine learn- E-mail: [email protected] ing (AutoML) to replace craft neural network design BHuilin Yin (Corresponding author) is also a popular trend. Zoph and Le (Zoph and Le, Department of Control Science and Engineering at Tongji 2017) proposed a neural architecture search method University, Shanghai, China E-mail: [email protected] based on reinforcement learning which outperforms most of the CNN models on the metrics of the pre- Wancheng Ge Department of Information and Communication Engineer- diction accuracy. ing at Tongji University, Shanghai, China However, deep learning cannot guarantee security. E-mail: [email protected] Despite the high accuracy of the clean testing dataset, 2 Jun Yan, Xiaoyang Deng, Huilin Yin, Wancheng Ge most CNN models are vulnerable to adversarial ex- noise are also commonly used noise function models. amples. White-box attacks (Athalye et al., 2018a,b, In previous work (Co et al., 2019a,b), two adversarial Carlini and Wagner, 2017, Goodfellow et al., 2015, attacks based on procedural noise functions are pro- Kurakin et al., 2017, Madry et al., 2018, Moosavi- posed with the state-of-the-art effect. Nevertheless, Dezfooli et al., 2016, Papernot et al., 2016) are many proposed noise attack methods do not have a gradient-based to update adversarial perturbations superior performance which needs further improve- with the exploration of the model structures dur- ment. Currently, Perlin noise attack (Co et al., 2019a) ing the optimization process. Other black-box at- is a state-of-the-art procedural adversarial noise at- tacks (Brendel et al., 2018, Guo et al., 2019, Ilyas tack. However, Perlin noise has several shortcomings: et al., 2018, Li et al., 2019, Moon et al., 2019, Uesato visually significant anisotropy, gradient artifacts, and et al., 2018) are built on lots of queries of input in- higher computation cost. The drawbacks of the ren- formation and output information of models, which dering technology existed in Perlin noise may hinder is time-consuming. To make the attack convenient the adversarial attack performance in computer vi- in the deployment, researchers are devoted to find- sion. Therefore, it gives us an inspiration to promote ing image-agnostic adversarial perturbations. Univer- the research on the procedural adversarial noise at- sal adversarial perturbations (UAP) introduced in the tack. Moreover, before our work, there is almost no previous work (Moosavi-Dezfooli et al., 2017) can fool discussion on the defense technologies under the pro- state-of-the-art image classification models with high cedural adversarial noise attacks. possibilities and small perturbations. The proposed In this paper, we propose two universal adversar- UAP methods are quasi-imperceptible and do not re- ial perturbation attack methods based on noise func- quire solving an optimization problem. The univer- tions: Simplex noise attack and Worley noise attack. sal perturbations can transfer between different im- We empirically demonstrate that the neural networks ages and different models. Afterward, a lot of pa- are fragile to the procedural noises that act as the uni- pers (Hayes and Danezis, 2018, Mopuri et al., 2017, versal adversarial perturbations (UAPs). In the at- 2018, 2019) are published. tack experiment, our methods show superior perfor- Generating universal adversarial examples based mance compared with the state-of-the-art noise at- on the procedural noise functions can be a research tack methods, black-box attack methods, and UAP direction. These procedural noise functions are com- methods. In the defense experiment, we evaluate the monly used in computer graphics and designed to denoising methods and the defense methods provided be parametrizable, customizable, and aesthetic (La- by the RealSafe (Dong et al., 2020) benchmark. gae et al., 2010). Adding textures and patterns in Our contributions in this paper are listed as fol- the pictures does not modify the visual semantic lows: representations. The perturbation patterns generated by procedural noise functions have similar struc- – We propose two procedural adversarial noise per- tures with the existing universal adversarial per- turbation attack methods: Simplex noise pertur- turbations (Khrulkov and Oseledets, 2018, Moosavi- bations and Worley noise perturbations. Such ℓ - ∞ Dezfooli et al., 2017). Generally speaking, the human norm attacks surpass state-of-the-art invasion ef- perception system would be disturbed by the shad- fect on the ImageNet dataset (Russakovsky et al., ings. The sensibility is similar on the neural networks 2015) and CIFAR-10 dataset (Krizhevsky and that the deep visual classifiers would be fooled by Hinton, 2009). the procedural adversarial noises with the shadings. – An empirical and comparative study with other Therefore, adversarial learning on such procedural transfer-based black-box attack methods, query- noises can improve the visual classifier’s robustness based black-box attack methods, and other uni- under the untergeted attack. The perception systems versal adversarial perturbation (UAP) methods of autonomous vehicles need a performance guarantee is made to certify the cross-model attack perfor- when faced with the abnormal scenarios of sensors. mance of our procedural adversarial noises. The visual content audit system of Internet enter- – To our best knowledge, we are one of the earliest prises should inference correctly in the case of mali- groups to discuss the defense on the procedural cious image tampering. Therefore, robustness under adversarial noise attacks and analyze the associ- the procedural adversarial noise is an explorable re- ated robustness with the evaluation benchmark. search direction. A viewpoint was put forward (Car- lini et al., 2019) that defending random perturba- This paper is organized as follows. The related tions based on Gaussian noise is a basic requirement. works are introduced in Section II. In Section III, our Rayleigh noise, Gamma noise, and Salt-And-Pepper proposed approach is illustrated. Metrics and experi- On Procedural Adversarial Noise Attack And Defense 3 ment results comparison are presented in Section VI. and Oseledets, 2018). Gabor noise is the convolution Finally, the conclusion is presented in Section V. of a sparse white noise and a Gabor kernel, making it a type of Sparse Convolution Noise (Lagae et al., 2009, 2010). Perlin adversarial noise attack (Co et al., 2 Related Work 2019a) is proposed to generate universal adversarial perturbations based on the lattice gradient noise in-
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages20 Page
-
File Size-