[论文解读] Pasadena: Perceptually Aware and Stealthy Adversarial Denoise Attack
本文提出Pasadena,一种新颖的对抗性去噪攻击方法,通过在图像去噪流水线中隐蔽地嵌入欺骗性噪声,同时提升图像质量并误导深度神经网络(DNNs)。通过将任务建模为对抗性去噪核预测,并结合感知意识的区域定位方法,该方法在多种噪声类型和模型下实现了高达84.8%的攻击成功率以及SSIM指标最高提升0.054的图像质量改善。
Image denoising can remove natural noise that widely exists in images captured by multimedia devices due to low-quality imaging sensors, unstable image transmission processes, or low light conditions. Recent works also find that image denoising benefits the high-level vision tasks, e.g., image classification. In this work, we try to challenge this common sense and explore a totally new problem, i.e., whether the image denoising can be given the capability of fooling the state-of-the-art deep neural networks (DNNs) while enhancing the image quality. To this end, we initiate the very first attempt to study this problem from the perspective of adversarial attack and propose the adversarial denoise attack. More specifically, our main contributions are three-fold: First, we identify a new task that stealthily embeds attacks inside the image denoising module widely deployed in multimedia devices as an image post-processing operation to simultaneously enhance the visual image quality and fool DNNs. Second, we formulate this new task as a kernel prediction problem for image filtering and propose the adversarial-denoising kernel prediction that can produce adversarial-noiseless kernels for effective denoising and adversarial attacking simultaneously. Third, we implement an adaptive perceptual region localization to identify semantic-related vulnerability regions with which the attack can be more effective while not doing too much harm to the denoising. We name the proposed method as Pasadena (Perceptually Aware and Stealthy Adversarial DENoise Attack) and validate our method on the NeurIPS'17 adversarial competition dataset, CVPR2021-AIC-VI: unrestricted adversarial attacks on ImageNet,etc. The comprehensive evaluation and analysis demonstrate that our method not only realizes denoising but also achieves a significantly higher success rate and transferability over state-of-the-art attacks.
研究动机与目标
- 挑战图像去噪普遍有利于高层视觉任务的常见假设,探索去噪器是否可被武器化用于攻击DNN。
- 开发一种将对抗性攻击集成到标准图像去噪流水线中的方法,同时不降低视觉质量。
- 识别并利用图像中的感知脆弱区域,以最大化攻击效果,同时保持去噪性能。
- 实现对抗性样本在不同DNN架构和噪声类型之间的高可迁移性。
- 证明去噪可作为对抗性攻击的隐蔽载体,实现视觉增强与模型逃避的双重目标。
提出的方法
- 将对抗性去噪攻击建模为图像滤波的核预测问题,实现去噪与对抗性扰动的联合生成。
- 提出对抗性去噪核预测方法,生成既能去除自然噪声又能嵌入难以察觉的、目标导向的对抗性噪声的核。
- 引入自适应感知区域定位方法,识别语义相关且易受攻击的脆弱区域,以实现攻击的聚焦应用。
- 将攻击应用于标准图像后处理流水线中,确保与真实世界多媒体系统的兼容性。
- 采用双重优化目标:最小化重建误差以实现去噪,最大化误分类损失以实现对抗性成功。
- 在ImageNet、Tiny-ImageNet-C以及NeurIPS’17竞赛数据集等多样化数据集上,针对多种噪声类型和严重程度进行了方法验证。
实验结果
研究问题
- RQ1图像去噪模块是否可被重新利用,以同时提升图像质量并发起有效的对抗性攻击?
- RQ2如何在不降低视觉质量或留下可检测痕迹的前提下,将对抗性噪声嵌入去噪过程中?
- RQ3在结合去噪时,哪些图像区域对对抗性扰动最为脆弱,以及如何实现其自适应定位?
- RQ4所提出的攻击在不同DNN架构和噪声类型之间,其可迁移性在多大程度上得以保持?
- RQ5该方法是否能同时实现高攻击成功率和可测量的图像质量指标(如SSIM)提升?
主要发现
- 在NeurIPS’17数据集上,Pasadena在严重程度等级2的脉冲噪声下,对ResNet-101的攻击成功率达到了74.8%,同时SSIM从0.735提升至0.790。
- 在Tiny-ImageNet-C数据集上,该方法在严重程度等级1的脉冲噪声下,对ResNet-101的攻击成功率达到了84.8%,SSIM从0.828提升至0.844。
- 对于脉冲噪声,攻击保持了高成功率(最高达86.0%),SSIM从0.833提升至0.837(严重程度等级1)。
- 该方法展示了强大的可迁移性,在未见过的模型(如EfficientNet)上,所有严重程度等级下均实现了30%的攻击成功率。
- 图像质量的提升在高噪声严重程度下最为显著,部分情况下SSIM提升超过0.05。
- 该方法在攻击成功率和可迁移性方面优于当前最先进攻击方法,同时显著提升了图像保真度。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。