Frequency-driven Imperceptible Adversarial Attack on Semantic Similarity

Current adversarial attack research reveals the vulnerability of learning-based classifiers against carefully crafted perturbations. However, most existing attack methods have inherent limitations in cross-dataset generalization as they rely on a classification layer with a closed set of categories....

Full description

Saved in:
Bibliographic Details
Published in2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) pp. 15294 - 15303
Main Authors Luo, Cheng, Lin, Qinliang, Xie, Weicheng, Wu, Bizhu, Xie, Jinheng, Shen, Linlin
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.06.2022
Subjects
Adversarial attack and defense; Computer vision theory; Deep learning architectures and techniques; Representation learning; Self-& semi-& meta- & unsupervised learning
Computer architecture
Computer vision
Measurement
Perturbation methods
Representation learning
Semantics
Visualization
Online AccessGet full text

Cover

More Information
Summary:Current adversarial attack research reveals the vulnerability of learning-based classifiers against carefully crafted perturbations. However, most existing attack methods have inherent limitations in cross-dataset generalization as they rely on a classification layer with a closed set of categories. Furthermore, the perturbations generated by these methods may appear in regions easily perceptible to the human visual system (HVS). To circumvent the former problem, we propose a novel algorithm that attacks semantic similarity on feature representations. In this way, we are able to fool classifiers without limiting attacks to a specific dataset. For imperceptibility, we introduce the low-frequency constraint to limit perturbations within high-frequency components, ensuring perceptual similarity between adversarial examples and originals. Extensive experiments on three datasets (CIFAR-10, CIFAR-100, and ImageNet-1K) and three public online platforms indicate that our attack can yield misleading and transferable adversarial examples across architectures and datasets. Additionally, visualization results and quantitative performance (in terms of four different metrics) show that the proposed algorithm generates more imperceptible perturbations than the state-of-the-art methods. Code is made available at https://github.com/LinQinLiang/SSAH-adversarial-attack.
ISSN:2575-7075
DOI:10.1109/CVPR52688.2022.01488