[en] To perform image recognition, Convolutional Neural Networks (CNNs) assess any image by first resizing it to its input size. In particular, high-resolution images are scaled down, say to 224×244
for CNNs trained on ImageNet. So far, existing attacks, aiming at creating an adversarial image that a CNN would misclassify while a human would not notice any difference between the modified and unmodified images, proceed by creating adversarial noise in the 224×244
resized domain and not in the high-resolution domain. The complexity of directly attacking high-resolution images leads to challenges in terms of speed, adversity and visual quality, making these attacks infeasible in practice. We design an indirect attack strategy that lifts to the high-resolution domain any existing attack that works efficiently in the CNN's input size domain. Adversarial noise created via this method is of the same size as the original image. We apply this approach to 10 state-of-the-art CNNs trained on ImageNet, with an evolutionary algorithm-based attack. Our method succeeded in 900 out of 1000 trials to create such adversarial images, that CNNs classify with probability ≥0.55
in the adversarial category. Our indirect attack is the first effective method at creating adversarial images in the high-resolution domain.
Research center :
ULHPC - University of Luxembourg: High Performance Computing
Author, co-author :
Leprevost, Franck ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)
Topal, Ali Osman ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)
Chitic, Ioana Raluca ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)
External co-authors :
A strategy creating high-resolution adversarial images against convolutional neural networks and a feasibility study on 10 CNNs
Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G., Davis, A., Dean, J., Devin, M., Ghemawat, S., Goodfellow, I., Harp, A., Irving, G., Isard, M., Jia, Y., Jozefowicz, R., Kaiser, L., Kudlur, M., … Zheng, X. (2015). TensorFlow: Large-scale machine learning on heterogeneous systems. https://www.tensorflow.org/.Softwareavailablefromtensorflow.org.
Agrafiotis, D. (2014). Chapter 9 -- Video error concealment. Academic Press Library in Signal Processing, 5 (1), 295–321. https://doi.org/10.1016/B978-0-12-420149-1.00009-0.
Andriushchenko, M., Croce, F., Flammarion, N., & Hein, M. (2020). Square attack: A query-efficient black-box adversarial attack via random search. European Conference on Computer Vision. Springer. doi: 10.1007/978-3-030-58592-1_29.
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., & Roli, F. (2013). Evasion Attacks against Machine Learning at Test Time. In Joint European conference on machine learning and knowledge discovery in databases, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40994-3_25.
Blier, L. (2016). A brief report of the heuritech deep learning meetup 5. https://heuritech.wordpress.com/2016/02/29/a-brief-report-of-the-heuritech-deep-learning-meetup-5/.
Carlini, N., & Wagner, D. (2017). Towards Evaluating the Robustness of Neural Networks,. IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22-26 May 2017, IEEE. doi: 10.1109/SP.2017.49.
Chitic, R., Bernard, N., & Leprévost, F. (2020). A proof of concept to deceive humans and machines at image classification with evolutionary algorithms. In Intelligent information and database systems, 12th Asian conference, ACIIDS 2020, Phuket, Thailand, March 23–26, 2020. Springer. doi: 10.1007/978-3-030-42058-1_39.
Chitic, R., Leprévost, F., & Bernard, N. (2020). Evolutionary algorithms deceive humans and machines at image classification: An extended proof of concept on two scenarios. Journal of Information and Telecommunication, 5 (1), 121–143. https://doi.org/10.1080/24751839.2020.1829388
Chitic, R., Topal, A., & Leprévost, F. (2021). Evolutionary algorithm-based images, humanly indistinguishable and adversarial against convolutional neural networks: Efficiency and filter robustness. IEEE Access, 9, 160758 –160778. https://doi.org/10.1109/ACCESS.2021.3131255
Chollet, F. (2015). Others Keras. https://keras.io.
Deng, J., Dong, W., Socher, R., Li, L., Li, K., & Fei-Fei, L. (2009). The ImageNet image database. http://image-net.org.
Duchon, C. (1979). Lanczos filtering in one and two dimensions. Journal of Applied Meteorology and Climatology, 18 (8), 1016–1022. https://doi.org/10.1175/1520-0450(1979)018¡1016:LFIOAT¿2.0.CO;2
Guo, C., Gardner, J., You, Y., Wilson, A., & Weinberger, K. (2019). Simple black-box adversarial attacks. International Conference on Machine Learning, Long Beach, California, USA, 9-15 June 2019, PMLR 97:2484-2493.
Hu, W., & Tan, Y. (2017). Generating adversarial malware examples for black-box attacks based on GAN. ArXiv Preprint ArXiv:1702.05983.
Hwang, J., & Lee, H. (2004). Adaptive image interpolation based on local gradient features. IEEE Signal Processing Letters, 11 (3), 359–362. https://doi.org/10.1109/LSP.2003.821718
Keys, R. (1981). Cubic convolution interpolation for digital image processing. IEEE Transactions on Acoustics, Speech, and Signal Processing, 29 (6), 1153–1160. https://doi.org/10.1109/TASSP.1981.1163711
Krizhevsky, A., Nair, V., & Hinton, G. (2009). CIFAR-10 (Canadian Institute for Advanced Research). (0). http://www.cs.toronto.edu/kriz/cifar.html.
Leprévost, F., Topal, A. O., Avdusinovic, E., & Chitic, R. (2022). Strategy and feasibility study for the construction of high resolution images adversarial against convolutional neural networks. In 14th Asian conference, ACIIDS 2022 (Ho Chi Minh City, Vietnam, November 28–30, 2022) (pp. xx–xx).
Li, X., & Orchard, M. (2001). New edge-directed interpolation. IEEE Transactions on Image Processing, 10 (10), 1521–1527. https://doi.org/10.1109/83.951537
Oliphant, T. (2006). A guide to NumPy. Trelgol Publishing USA.
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z., & Swami, A. (2017). Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, Abu Dhabi United Arab Emirates, April 2–6, 2017. ACM. https://doi.org/10.1145/3052973.3053009.
Parsania, P., & Virparia, P. (2016). A comparative analysis of image interpolation algorithms. International Journal of Advanced Research in Computer and Communication Engineering, 5 (1), 29–34. https://doi.org/10.17148/IJARCCE
Patel, V., & Mistree, K. (2013). A review on different image interpolation techniques for image enhancement. International Journal of Emerging Technology and Advanced Engineering, 3 (12), 129–133.
Schulter, S., Leistner, C., & Bischof, H. (2015). Fast and accurate image upscaling with super-resolution forests. 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, USA, 07-12 June 2015. IEEE. doi: 10.1109/CVPR.2015.7299003.
SpeedyGraphito (2020). Mes 400 coups. Panoramart.
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. ArXiv Preprint ArXiv:1312.6199.
Topal, A. O., Chitic, R., & Leprévost, F. (2022). One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition. (Under Review).
Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., & Madry, A. (2018). Robustness may be at odds with accuracy. ArXiv Preprint ArXiv:1805.12152.
Van Rossum, G., & Drake, F. (2009). Python 3 reference manual. CreateSpace.
Walt, S., Schönberger, J., Nunez-Iglesias, J., Boulogne, F., Warner, J., Yager, N., Gouillart, E., & Rajkumar, T. (2014). Contributors Scikit-image image processing in Python. PeerJ, 2, e453. https://doi.org/10.7717/peerj.453
Ye, M., Lyu, D., & Chen, G. (2020). Scale-iterative upscaling network for image deblurring. IEEE Access, 8, 18316–18325. https://doi.org/10.1109/Access.6287639
Zhang, X., & Wu, X. (2008). Image interpolation by adaptive 2-D autoregressive modeling and soft-decision estimation. IEEE Transactions On Image Processing, 17 (6), 887–896. https://doi.org/10.1109/TIP.2008.924279