Invisible Adversarial Attack Against Deep Neural Networks

With the advance of mobile Internet and big data technology,artificial intelligence is developing rapidly nowadays.However,existing studies demonstrated that artificial intelligence,especially the deep neural network,is vulnerable to adversarial examples,which seriously threaten the security-sensitive applications.Generally,the adversarial examples are synthesized by perturbing the original/benign images with well-designed perturbations.It can be formulated as an optimization problem with constraints on perceptual loss,and?-norm is widely adopted for measuring it.However,?-norm merely restricts the value of perturbations but ignores their spatial distribution.Therefore,?-based attacks would not consider the image characteristics when synthesizing the adversarial examples,resulting in noticeable artifacts.This paper focuses on the attack ability and unperceptiveness of adversarial examples from the perspective of attack.We propose an invisible adversarial attack,which synthesizes adversarial examples that are indistinguishable from benign ones.The basic idea is to distribute/constraint the adversarial perturbations according to human sensitivity to a local stimulus in benign image,for improving the unperceptiveness of adversarial examples.Specially,two types of adversarial attacks are proposed.The first one is spatial-constrained adversarial attack,named Spa Adv.The basic idea is to utilize the cluttered regions in an image which are usually rich in image details and colorfulness to mask the perturbations,by imposing an additional spatial constraint on the perturbations.The second one is just noticeable distortion(JND)based adversarial attack,named JNDAdv.The basic idea is to utilize the proposed JNDmetric for better measuring the perceptual loss,and adaptively set penalty by weighting the pixel-wise perceptual redundancy of an image.Since Spa Adv is not pixel-wise and the generated perturbations are only added to the cluttered regions,while JNDAdv adaptively sets penalty by weighting the pixel-wise perceptual redundancy of an image,so JNDAdv is called fine-grained attack.Finally,we conduct extensive experiments to validate the performance of the proposed Spa Adv and JNDAdv attacks,in terms of perturbed images presentation,unperceptiveness quantification and the user study.The experimental results demonstrate that the proposed adaptive adversarial attacks can synthesize indistinguishable adversarial examples from benign ones.