A study of the effect of JPG compression on adversarial images

Dziugaite, Gintare Karolina; Ghahramani, Zoubin; Roy, Daniel M.

doi:10.48550/arxiv.1608.00853

Cited by 77 publications

(113 citation statements)

References 0 publications

Supporting

Mentioning

111

Contrasting

Order By: Relevance

“…Our method achieves 24.67% and 39.96% better mean ASR than the existing [5] and the naive PGD attack methods, respectively, for the eyeglass patch attack. Additionally, we evaluate the robustness of the brightness agnostic AXs against the model with JPEG compression [13], bit squeezing, and median blur defenses [14] in the pre-processing pipeline. These defenses do not directly cause brightness changes in the input images.…”

Section: Resultsmentioning

confidence: 99%

On Brightness Agnostic Adversarial Examples Against Face Recognition Systems

Singh¹,

Momiyama²,

Kakizaki³

et al. 2021

Preprint

View full text Add to dashboard Cite

This paper introduces a novel adversarial example generation method against face recognition systems (FRSs). An adversarial example (AX) is an image with deliberately crafted noise to cause incorrect predictions by a target system. The AXs generated from our method remain robust under realworld brightness changes. Our method performs nonlinear brightness transformations while leveraging the concept of curriculum learning during the attack generation procedure. We demonstrate that our method outperforms conventional techniques from comprehensive experimental investigations in the digital and physical world. Furthermore, this method enables practical risk assessment of FRSs against brightness agnostic AXs.

show abstract

Section: Resultsmentioning

confidence: 99%

On Brightness Agnostic Adversarial Examples Against Face Recognition Systems

Singh¹,

Momiyama²,

Kakizaki³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…For the defense against black-box attacks, a lot of methods are derived directly from the defense methods against white-box attacks, such as input transformation [32], network randomization [33] and adversarial training [34]. The defenses designed specifically for black-box attack, are denoised smoothing [35], malicious query detection [36][37] [38], and randomsmoothing [39] [40].…”

Section: Related Workmentioning

confidence: 99%

Boundary Defense Against Black-box Adversarial Attacks

Aithal¹,

Li²

2022

Preprint

View full text Add to dashboard Cite

Black-box adversarial attacks generate adversarial samples via iterative optimizations using repeated queries. Defending deep neural networks against such attacks has been challenging. In this paper, we propose an efficient Boundary Defense (BD) method which mitigates black-box attacks by exploiting the fact that the adversarial optimizations often need samples on the classification boundary. Our method detects the boundary samples as those with low classification confidence and adds white Gaussian noise to their logits. The method's impact on the deep network's classification accuracy is analyzed theoretically. Extensive experiments are conducted and the results show that the BD method can reliably defend against both soft and hard label black-box attacks. It outperforms a list of existing defense methods. For IMAGENET models, by adding zero-mean white Gaussian noise with standard deviation 0.1 to logits when the classification confidence is less than 0.3, the defense reduces the attack success rate to almost 0 while limiting the classification accuracy degradation to around 1 percent.

show abstract

“…Reactive methods perform preprocessing operations and transformations on the input images before inputting them to the target model. Dziugaite et al [22] found that JEPG compression could reverse the drop in classification accuracy of adversarial examples to a large extent. Xu et al [21] reduced the search space available to an adversary by reduction of color bit depth and spatial smoothing.…”

Section: B Defenses Against Attacksmentioning

confidence: 99%

“…Nine defense methods are adopted in our experiment. Seven reactive defenses are conducted, including spatial smoothing(SS) [21], color bit-depth reduction(CBDR) [21], JPEG compression(JC) [22], total variance minimization(TVM) [23], STL [24], super resolution(SR) [25] and feature distillation(FDistill) [34]. Besides, CAS [28] and feature denoising(FDenoise) [38], categorized as proactive defenses, are also adopted as baselines.…”

Section: A Evaluation Setupsmentioning

confidence: 99%

“…The former ones often use image transformations to the input in the inference stage, while the latter ones modify model structure and learning procedure to mitigate attacks. Early-proposed reactive strategies, including spatial smoothing [21], JPEG compression [22] and total variance minimization [23], attempt to remove perturbations by simple image transformations. Because of the uncertainty and randomness, they show limitations on handling larger perturbations(e.g., when l 2 -norm perturbation size is larger than 0.6).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

NIP: Neuron-level Inverse Perturbation Against Adversarial Attacks

Chen¹,

Jin²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

Although deep learning models have achieved unprecedented success, their vulnerabilities towards adversarial attacks have attracted increasing attention, especially when deployed in security-critical domains. To address the challenge, numerous defense strategies, including reactive and proactive ones, have been proposed for robustness improvement. From the perspective of image feature space, some of them cannot reach satisfying results due to the shift of features. Besides, features learned by models are not directly related to classification results. Different from them, We consider defense method essentially from model inside and investigated the neuron behaviors before and after attacks. We observed that attacks mislead the model by dramatically changing the neurons that contribute most and least to the correct label. Motivated by it, we introduce the concept of neuron influence and further divide neurons into front, middle and tail part. Based on it, we propose neuron-level inverse perturbation(NIP), the first neuron-level reactive defense method against adversarial attacks. By strengthening front neurons and weakening those in the tail part, NIP can eliminate nearly all adversarial perturbations while still maintaining high benign accuracy. Besides, it can cope with different sizes of perturbations via adaptivity, especially larger ones. Comprehensive experiments conducted on three datasets and six models show that NIP outperforms the state-of-the-art baselines against eleven adversarial attacks. We further provide interpretable proofs via neuron activation and visualization for better understanding.

show abstract

A study of the effect of JPG compression on adversarial images

Cited by 77 publications

References 0 publications

On Brightness Agnostic Adversarial Examples Against Face Recognition Systems

On Brightness Agnostic Adversarial Examples Against Face Recognition Systems

Boundary Defense Against Black-box Adversarial Attacks

NIP: Neuron-level Inverse Perturbation Against Adversarial Attacks

Contact Info

Product

Resources

About