A strategy creating high-resolution adversarial images against convolutional neural networks and a feasibility study on 10 CNNs

LEPREVOST, Franck; TOPAL, Ali Osman; Avdusinovic, Elmir; CHITIC, Ioana Raluca

doi:10.1080/24751839.2022.2132586

Article (Périodiques scientifiques)

A strategy creating high-resolution adversarial images against convolutional neural networks and a feasibility study on 10 CNNs

LEPREVOST, Franck; TOPAL, Ali Osman; Avdusinovic, Elmir et al.

2022 • In Journal of Information and Telecommunication, 7 (1), p. 89-119

Peer reviewed vérifié par ORBi

Permalien
https://hdl.handle.net/10993/55235

DOI
10.1080/24751839.2022.2132586

Documents (1)Envoyer vers Détails Statistiques Bibliographie Publications similaires

Documents

Texte intégral

A strategy creating high resolution adversarial images against convolutional neural networks and a feasibility study on 10 CNNs.pdf

Postprint Éditeur (6.7 MB)

Télécharger

Tous les documents dans ORBilu sont protégés par une licence d'utilisation.

Envoyer vers

RIS BibTex APA Chicago Permalink X Linkedin

Détails

Mots-clés :

Black-box attack; Convolutional Neural Network; Evolutionary Algorithm; high-resolution adversarial image

Résumé :

[en] To perform image recognition, Convolutional Neural Networks (CNNs) assess any image by first resizing it to its input size. In particular, high-resolution images are scaled down, say to 224×244 for CNNs trained on ImageNet. So far, existing attacks, aiming at creating an adversarial image that a CNN would misclassify while a human would not notice any difference between the modified and unmodified images, proceed by creating adversarial noise in the 224×244 resized domain and not in the high-resolution domain. The complexity of directly attacking high-resolution images leads to challenges in terms of speed, adversity and visual quality, making these attacks infeasible in practice. We design an indirect attack strategy that lifts to the high-resolution domain any existing attack that works efficiently in the CNN's input size domain. Adversarial noise created via this method is of the same size as the original image. We apply this approach to 10 state-of-the-art CNNs trained on ImageNet, with an evolutionary algorithm-based attack. Our method succeeded in 900 out of 1000 trials to create such adversarial images, that CNNs classify with probability ≥0.55 in the adversarial category. Our indirect attack is the first effective method at creating adversarial images in the high-resolution domain.

Centre de recherche :

ULHPC - University of Luxembourg: High Performance Computing

Disciplines :

Sciences informatiques

Auteur, co-auteur :

LEPREVOST, Franck ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

TOPAL, Ali Osman ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

Avdusinovic, Elmir

CHITIC, Ioana Raluca ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

A strategy creating high-resolution adversarial images against convolutional neural networks and a feasibility study on 10 CNNs

Date de publication/diffusion :

22 octobre 2022

Titre du périodique :

Journal of Information and Telecommunication

ISSN :

2475-1839

eISSN :

2475-1847

Maison d'édition :

Taylor & Francis Group, Royaume-Uni

Volume/Tome :

Fascicule/Saison :

Pagination :

89-119

Peer reviewed :

Peer reviewed vérifié par ORBi

Focus Area :

Computational Sciences

URL complémentaire :

https://www.tandfonline.com/doi/full/10.1080/24751839.2022.2132586

Disponible sur ORBilu :

depuis le 29 mai 2023

Statistiques

Nombre de vues

183 (dont 6 Unilu)

Nombre de téléchargements

56 (dont 4 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

citations WoS^™

Bibliographie

Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G., Davis, A., Dean, J., Devin, M., Ghemawat, S., Goodfellow, I., Harp, A., Irving, G., Isard, M., Jia, Y., Jozefowicz, R., Kaiser, L., Kudlur, M., … Zheng, X. (2015). TensorFlow: Large-scale machine learning on heterogeneous systems. https://www.tensorflow.org/.Softwareavailablefromtensorflow.org.
Agrafiotis, D. (2014). Chapter 9 -- Video error concealment. Academic Press Library in Signal Processing, 5 (1), 295–321. https://doi.org/10.1016/B978-0-12-420149-1.00009-0.
Andriushchenko, M., Croce, F., Flammarion, N., & Hein, M. (2020). Square attack: A query-efficient black-box adversarial attack via random search. European Conference on Computer Vision. Springer. doi: 10.1007/978-3-030-58592-1_29.
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., & Roli, F. (2013). Evasion Attacks against Machine Learning at Test Time. In Joint European conference on machine learning and knowledge discovery in databases, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40994-3_25.
Blier, L. (2016). A brief report of the heuritech deep learning meetup 5. https://heuritech.wordpress.com/2016/02/29/a-brief-report-of-the-heuritech-deep-learning-meetup-5/.
Carlini, N., & Wagner, D. (2017). Towards Evaluating the Robustness of Neural Networks,. IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22-26 May 2017, IEEE. doi: 10.1109/SP.2017.49.
Chitic, R., Bernard, N., & Leprévost, F. (2020). A proof of concept to deceive humans and machines at image classification with evolutionary algorithms. In Intelligent information and database systems, 12th Asian conference, ACIIDS 2020, Phuket, Thailand, March 23–26, 2020. Springer. doi: 10.1007/978-3-030-42058-1_39.
Chitic, R., Leprévost, F., & Bernard, N. (2020). Evolutionary algorithms deceive humans and machines at image classification: An extended proof of concept on two scenarios. Journal of Information and Telecommunication, 5 (1), 121–143. https://doi.org/10.1080/24751839.2020.1829388
Chitic, R., Topal, A., & Leprévost, F. (2021). Evolutionary algorithm-based images, humanly indistinguishable and adversarial against convolutional neural networks: Efficiency and filter robustness. IEEE Access, 9, 160758 –160778. https://doi.org/10.1109/ACCESS.2021.3131255
Chollet, F. (2015). Others Keras. https://keras.io.
Deng, J., Dong, W., Socher, R., Li, L., Li, K., & Fei-Fei, L. (2009). The ImageNet image database. http://image-net.org.
Duchon, C. (1979). Lanczos filtering in one and two dimensions. Journal of Applied Meteorology and Climatology, 18 (8), 1016–1022. https://doi.org/10.1175/1520-0450(1979)018¡1016:LFIOAT¿2.0.CO;2
Guo, C., Gardner, J., You, Y., Wilson, A., & Weinberger, K. (2019). Simple black-box adversarial attacks. International Conference on Machine Learning, Long Beach, California, USA, 9-15 June 2019, PMLR 97:2484-2493.
Hu, W., & Tan, Y. (2017). Generating adversarial malware examples for black-box attacks based on GAN. ArXiv Preprint ArXiv:1702.05983.
Hwang, J., & Lee, H. (2004). Adaptive image interpolation based on local gradient features. IEEE Signal Processing Letters, 11 (3), 359–362. https://doi.org/10.1109/LSP.2003.821718
Keys, R. (1981). Cubic convolution interpolation for digital image processing. IEEE Transactions on Acoustics, Speech, and Signal Processing, 29 (6), 1153–1160. https://doi.org/10.1109/TASSP.1981.1163711
Krizhevsky, A., Nair, V., & Hinton, G. (2009). CIFAR-10 (Canadian Institute for Advanced Research). (0). http://www.cs.toronto.edu/kriz/cifar.html.
Leprévost, F., Topal, A. O., Avdusinovic, E., & Chitic, R. (2022). Strategy and feasibility study for the construction of high resolution images adversarial against convolutional neural networks. In 14th Asian conference, ACIIDS 2022 (Ho Chi Minh City, Vietnam, November 28–30, 2022) (pp. xx–xx).
Li, X., & Orchard, M. (2001). New edge-directed interpolation. IEEE Transactions on Image Processing, 10 (10), 1521–1527. https://doi.org/10.1109/83.951537
Oliphant, T. (2006). A guide to NumPy. Trelgol Publishing USA.
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z., & Swami, A. (2017). Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, Abu Dhabi United Arab Emirates, April 2–6, 2017. ACM. https://doi.org/10.1145/3052973.3053009.
Parsania, P., & Virparia, P. (2016). A comparative analysis of image interpolation algorithms. International Journal of Advanced Research in Computer and Communication Engineering, 5 (1), 29–34. https://doi.org/10.17148/IJARCCE
Patel, V., & Mistree, K. (2013). A review on different image interpolation techniques for image enhancement. International Journal of Emerging Technology and Advanced Engineering, 3 (12), 129–133.
Schulter, S., Leistner, C., & Bischof, H. (2015). Fast and accurate image upscaling with super-resolution forests. 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, USA, 07-12 June 2015. IEEE. doi: 10.1109/CVPR.2015.7299003.
SpeedyGraphito (2020). Mes 400 coups. Panoramart.
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. ArXiv Preprint ArXiv:1312.6199.
Topal, A. O., Chitic, R., & Leprévost, F. (2022). One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition. (Under Review).
Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., & Madry, A. (2018). Robustness may be at odds with accuracy. ArXiv Preprint ArXiv:1805.12152.
Van Rossum, G., & Drake, F. (2009). Python 3 reference manual. CreateSpace.
Walt, S., Schönberger, J., Nunez-Iglesias, J., Boulogne, F., Warner, J., Yager, N., Gouillart, E., & Rajkumar, T. (2014). Contributors Scikit-image image processing in Python. PeerJ, 2, e453. https://doi.org/10.7717/peerj.453
Ye, M., Lyu, D., & Chen, G. (2020). Scale-iterative upscaling network for image deblurring. IEEE Access, 8, 18316–18325. https://doi.org/10.1109/Access.6287639
Zhang, X., & Wu, X. (2008). Image interpolation by adaptive 2-D autoregressive modeling and soft-decision estimation. IEEE Transactions On Image Processing, 17 (6), 887–896. https://doi.org/10.1109/TIP.2008.924279