Skip to main content
QUICK REVIEW

[Paper Review] Towards Imperceptible and Robust Adversarial Example Attacks against Neural Networks

Bo Luo, Yannan Liu|arXiv (Cornell University)|Jan 15, 2018
Adversarial Robustness in Machine Learning18 references21 citations
TL;DR

This paper proposes a novel adversarial attack method that enhances both imperceptibility and robustness by modeling human visual sensitivity and maximizing noise tolerance. By introducing a perceptually informed distance metric and a greedy optimization strategy, the method achieves superior robustness under physical-world distortions—outperforming FGSM, JSMA, and L-BFGS by up to 36% in success rate under strong Gaussian noise (62% vs. 21.5% at std=0.25).

ABSTRACT

Machine learning systems based on deep neural networks, being able to produce state-of-the-art results on various perception tasks, have gained mainstream adoption in many applications. However, they are shown to be vulnerable to adversarial example attack, which generates malicious output by adding slight perturbations to the input. Previous adversarial example crafting methods, however, use simple metrics to evaluate the distances between the original examples and the adversarial ones, which could be easily detected by human eyes. In addition, these attacks are often not robust due to the inevitable noises and deviation in the physical world. In this work, we present a new adversarial example attack crafting method, which takes the human perceptual system into consideration and maximizes the noise tolerance of the crafted adversarial example. Experimental results demonstrate the efficacy of the proposed technique.

Motivation & Objective

  • Address the limitation of existing adversarial attacks that rely on simple Lp-norm distance metrics, which fail to account for human visual perception and thus produce easily detectable perturbations.
  • Improve the robustness of adversarial examples in the physical world, where noise, compression, and transformations degrade attack success rates.
  • Develop a general-purpose attack framework applicable across diverse neural network applications, overcoming the limitations of application-specific prior methods.
  • Optimize for both imperceptibility and robustness simultaneously by balancing perceptual sensitivity and noise tolerance in perturbation placement.

Proposed method

  • Introduce a new perceptual distance metric that models human sensitivity to pixel perturbations, assigning higher tolerance to regions with high variance and lower sensitivity to uniform areas.
  • Formulate an optimization objective to maximize the confidence gap between the target class and the next highest class probability, enhancing attack success and robustness.
  • Propose a greedy algorithm that selects pixels with high perceptual tolerance and applies perturbations of optimal magnitude to maximize noise resilience while maintaining imperceptibility.
  • Define a robustness metric as the fraction of adversarial examples that remain misclassified after physical transformations (e.g., JPEG compression, Gaussian noise, blurring, brightness/contrast changes).
  • Use a composite transformation function $Tran(*)$ to simulate real-world distortions and evaluate success rates under various physical conditions.
  • Apply the method on CIFAR-10 and MNIST datasets, comparing performance against FGSM, JSMA, and L-BFGS under identical evaluation protocols.

Experimental results

Research questions

  • RQ1Can a perceptually informed distance metric improve the imperceptibility of adversarial examples compared to standard Lp-norms?
  • RQ2How does optimizing for noise tolerance affect the robustness of adversarial examples under physical-world distortions such as JPEG compression and Gaussian noise?
  • RQ3To what extent does the proposed method outperform existing attacks (e.g., FGSM, JSMA, L-BFGS) in both imperceptibility and robustness across diverse image transformations?
  • RQ4Is the proposed method generalizable across different neural network applications, or is it limited to specific use cases like face or road sign recognition?
  • RQ5What is the trade-off between perceptual imperceptibility and robustness, and can both be simultaneously maximized through a unified optimization framework?

Key findings

  • The proposed method achieves a 98.5% success rate under Gaussian noise with standard deviation 0.05, outperforming JSMA (98.25%), L-BFGS (86.8%), and FGSM (82.5%).
  • At the highest noise level (std=0.25), the method maintains a 62% success rate, significantly outperforming FGSM (21.5%), L-BFGS (28.6%), and JSMA (33.2%).
  • Under JPEG compression, the method achieves a 76% success rate, compared to only 52.3% for FGSM, demonstrating superior robustness to lossy compression.
  • The method’s robustness advantage increases with noise intensity, indicating effective noise tolerance optimization.
  • Despite ranking second in human perception experiments, JSMA performs better in robustness due to larger, sparser perturbations that are more resilient to noise.
  • The method successfully balances imperceptibility and robustness, achieving state-of-the-art performance across multiple physical-world transformations without application-specific tuning.

Better researchstarts right now

From paper design to paper writing, dramatically reduce your research time.

No credit card · Free plan available

This review was created by AI and reviewed by human editors.