4.7 Article

Generating Adversarial Images in Quantized Domains

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY (2022)

Get Full Text
Add to Collection

Journal

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
Volume 17, Issue -, Pages 373-385

Publisher

IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/TIFS.2021.3138616

Keywords

Computational and artificial intelligence; neural networks; feedforward neural network; multi-layer neural network; signal processing; quantization (signal)

Categories

Computer Science, Theory & Methods Engineering, Electrical & Electronic

Funding

  1. Direction Generale de l'Armement, French, under the Ministry for the Armed Forces
  2. French National Research Agency under the ALASKA Project [ANR-18-ASTR-0009]
  3. French Agence Innovation pour la Defense under the chaire Security of Artificial Intelligence for Defense Applications (SAIDA) [ANR-20-CHIA-0011-01]
  4. challenge DEtection de FALSifications dans des images et videos (DEFALS) Program [ANR-16-DEFA-0003]
  5. Agence Nationale de la Recherche (ANR) [ANR-20-CHIA-0011] Funding Source: Agence Nationale de la Recherche (ANR)

Ask authors/readers for more resources

Protocol

Community support

Reagent

Community support

This paper proposes a method dedicated to quantizing adversarial perturbations while minimizing quantization error and maintaining image adversarial after quantization. The method operates in both spatial and JPEG domains with low complexity.
Many adversarial attacks produce floating-point tensors which are no longer adversarial when converted to raster or JPEG images due to rounding. This paper proposes a method dedicated to quantize adversarial perturbations. This smart quantization is conveniently implemented as versatile post-processing. It can be used on top of any white-box attack targeting any model. Its principle is tantamount to a constrained optimization problem aiming to minimize the quantization error while keeping the image adversarial after quantization. A Lagrangian formulation is proposed and an appropriate search of the Lagrangian multiplier enables to increase the success rate. We also add a control mechanism of the l(infinity)-distortion. Our method operates in both spatial and JPEG domains with little complexity. This study shows that forging adversarial images is not a hard constraint: our quantization does not introduce any extra distortion. Moreover, adversarial images quantized as JPEG also challenge defenses relying on the robustness of neural networks against JPEG compression.

Authors

I am an author on this paper
Click your name to claim this paper and add it to your profile.

Reviews

Primary Rating

4.7
Not enough ratings

Secondary Ratings

Novelty
-
Significance
-
Scientific rigor
-
Rate this paper

Recommended

No Data Available
No Data Available
Webinars Posters Questions Hubs Funding Journals Papers Connect Collections Reviewers About Us FAQs Mobile App Privacy Policy Terms of Use
© Peeref 2019-2024. All rights reserved.