Skip to main content
QUICK REVIEW

[Paper Review] Pasadena: Perceptually Aware and Stealthy Adversarial Denoise Attack

Yupeng Cheng, Qing Guo|arXiv (Cornell University)|Jul 14, 2020
Adversarial Robustness in Machine Learning76 references18 citations
TL;DR

This paper proposes Pasadena, a novel adversarial denoise attack that stealthily embeds fooling noise within image denoising pipelines to simultaneously enhance image quality and mislead deep neural networks (DNNs). By formulating the task as adversarial-denoising kernel prediction and using perceptually aware region localization, the method achieves high attack success rates (up to 84.8%) and improved image quality (SSIM gains of up to 0.054) across multiple noise types and models.

ABSTRACT

Image denoising can remove natural noise that widely exists in images captured by multimedia devices due to low-quality imaging sensors, unstable image transmission processes, or low light conditions. Recent works also find that image denoising benefits the high-level vision tasks, e.g., image classification. In this work, we try to challenge this common sense and explore a totally new problem, i.e., whether the image denoising can be given the capability of fooling the state-of-the-art deep neural networks (DNNs) while enhancing the image quality. To this end, we initiate the very first attempt to study this problem from the perspective of adversarial attack and propose the adversarial denoise attack. More specifically, our main contributions are three-fold: First, we identify a new task that stealthily embeds attacks inside the image denoising module widely deployed in multimedia devices as an image post-processing operation to simultaneously enhance the visual image quality and fool DNNs. Second, we formulate this new task as a kernel prediction problem for image filtering and propose the adversarial-denoising kernel prediction that can produce adversarial-noiseless kernels for effective denoising and adversarial attacking simultaneously. Third, we implement an adaptive perceptual region localization to identify semantic-related vulnerability regions with which the attack can be more effective while not doing too much harm to the denoising. We name the proposed method as Pasadena (Perceptually Aware and Stealthy Adversarial DENoise Attack) and validate our method on the NeurIPS'17 adversarial competition dataset, CVPR2021-AIC-VI: unrestricted adversarial attacks on ImageNet,etc. The comprehensive evaluation and analysis demonstrate that our method not only realizes denoising but also achieves a significantly higher success rate and transferability over state-of-the-art attacks.

Motivation & Objective

  • To challenge the common assumption that image denoising universally benefits high-level vision tasks by exploring whether denoisers can be weaponized to attack DNNs.
  • To develop a method that integrates adversarial attacks within standard image denoising pipelines without degrading visual quality.
  • To identify and exploit perceptually vulnerable regions in images to maximize attack effectiveness while preserving denoising performance.
  • To achieve high transferability of adversarial examples across different DNN architectures and noise types.
  • To demonstrate that denoising can be a stealthy vector for adversarial attacks, enabling both visual enhancement and model evasion.

Proposed method

  • Formulates the adversarial denoise attack as a kernel prediction problem for image filtering, enabling joint denoising and adversarial perturbation generation.
  • Proposes adversarial-denoising kernel prediction to produce kernels that remove natural noise while embedding imperceptible, targeted adversarial noise.
  • Introduces adaptive perceptual region localization to identify semantic-relevant, vulnerability-prone regions for focused attack application.
  • Applies the attack within standard image post-processing pipelines, ensuring compatibility with real-world multimedia systems.
  • Employs a dual optimization objective: minimizing reconstruction error for denoising and maximizing misclassification loss for adversarial success.
  • Validates the method on diverse datasets including ImageNet, Tiny-ImageNet-C, and the NeurIPS’17 competition dataset under multiple noise types and severity levels.

Experimental results

Research questions

  • RQ1Can image denoising modules be repurposed to simultaneously enhance image quality and launch effective adversarial attacks?
  • RQ2How can adversarial noise be embedded within a denoising process without degrading visual quality or leaving detectable artifacts?
  • RQ3Which image regions are most vulnerable to adversarial perturbations when combined with denoising, and how can they be adaptively localized?
  • RQ4To what extent does the proposed attack maintain high transferability across different DNN architectures and noise types?
  • RQ5Can the method achieve both high attack success rates and measurable improvements in image quality metrics like SSIM?

Key findings

  • On the NeurIPS’17 dataset, Pasadena achieved a 74.8% attack success rate on ResNet-101 while improving SSIM from 0.735 to 0.790 under shot noise at severity level 2.
  • On Tiny-ImageNet-C, the method achieved 84.8% success rate on ResNet-101 under shot noise at severity level 1, with SSIM increasing from 0.828 to 0.844.
  • For impulse noise, the attack maintained high success rates (up to 86.0%) and improved SSIM from 0.833 to 0.837 at severity level 1.
  • The method demonstrated strong transferability, achieving 30% success rates on unseen models like EfficientNet across all severity levels.
  • Image quality improvements were most pronounced at higher noise severity levels, with SSIM gains exceeding 0.05 in some cases.
  • The approach outperformed state-of-the-art attacks in both attack success rate and transferability while simultaneously enhancing image fidelity.

Better researchstarts right now

From paper design to paper writing, dramatically reduce your research time.

No credit card · Free plan available

This review was created by AI and reviewed by human editors.