ColorFool: Semantic Adversarial Colorization

Shamsabadi, Ali Shahin; Sánchez-Matilla, Ricardo; Cavallaro, Andrea

doi:10.1109/cvpr42600.2020.00123

Cited by 76 publications

(74 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Abandoning norm based constraints completely, Patch Attack [37] replaces a certain area of the image with an adversarial patch. Likewise, ColorFool [38] disregards norms and instead recolors the image to make it adversarial. While the non-traditional norm category is not strictly defined, it gives us a concise grouping that highlights the advances being made outside of the l 2 and l ∞ based black-box attacks.…”

Section: B Black-box Attack Categorizationmentioning

confidence: 99%

See 1 more Smart Citation

Back in Black: A Comparative Evaluation of Recent State-Of-The-Art Black-Box Attacks

Mahmood

Rathbun

et al. 2022

IEEE Access

View full text Add to dashboard Cite

The field of adversarial machine learning has experienced a near exponential growth in the amount of papers being produced since 2018. This massive information output has yet to be properly processed and categorized. In this paper, we seek to help alleviate this problem by systematizing the recent advances in adversarial machine learning black-box attacks since 2019. Our survey summarizes and categorizes 20 recent black-box attacks. We also present a new analysis for understanding the attack success rate with respect to the adversarial model used in each paper. Overall, our paper surveys a wide body of literature to highlight recent attack developments and organizes them into four attack categories: score based attacks, decision based attacks, transfer attacks and non-traditional attacks. Further, we provide a new mathematical framework to show exactly how attack results can fairly be compared. INDEX TERMSAdversarial machine learning, adversarial examples, adversarial defense, black-box attack, security, deep learning. Score based Attacks Attack Name Date Author qMeta 6-Jun-19 Du et al. [24] P-RGF 17-Jun-19 Cheng et al. [25] ZO-ADMM 26-Jul-19 Zhao et al. [26] TREMBA 17-Nov-19 Huang et al. [27] Square 29-Nov-19 Andriushchenko et al. [28] ZO-NGD 18-Feb-20 Zhao et al. [29] PPBA 8-May-20 Liu et al. [30] Decision based Attacks Attack Name Date Author qFool 26-Mar-19 Liu et al. [31] HSJA 3-Apr-19 Chen et al. [10] GeoDA 13-Mar-20 Rahmati et al. [32] QEBA 28-May-20 Li et al. [33] RayS 23-Jun-20 Chen et al. [34] SurFree 25-Nov-20 Maho et al. [12] NonLinear-BA 25-Feb-21 Li et al. [35] Transfer based Attacks Attack Name Date Author Adaptive 3-Oct-19 Mahmood et al. [22] DaST 28-Mar-20 Zhou et al. [9] PO-TI 13-Jun-20 Li et al. [23] Non-traditional Attacks Attack Name Date Author CornerSearch 11-Sep-19 Croce et al. [36] ColorFool 25-Nov-19 Shamsabadi et al. [38] Patch 12-Apr-20 Yang et al. [37]

show abstract

Section: B Black-box Attack Categorizationmentioning

confidence: 99%

“…The Patch Attack is based on completely replacing small part of the original image with an adversarial generated square (patch). The last attack we cover in this section is ColorFool [38]. This attack is based on manipulating the colors within the image as opposed to directly adding adversarial noise.…”

Section: Non-traditional Norm Attacksmentioning

confidence: 99%

Back in Black: A Comparative Evaluation of Recent State-Of-The-Art Black-Box Attacks

Mahmood

Rathbun

et al. 2022

IEEE Access

View full text Add to dashboard Cite

show abstract

“…The diffusion and the wide use of deep learning methods for artificial intelligence systems, thus, pose significant security and privacy issues. From the security point of view, Adversarial Attacks (AA) showed that deep learning models can be easily fooled [ 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 ] while, from a privacy point of view, it has been shown that information can be easily extracted from dataset and learned model [ 26 , 27 , 28 ]. It has also been shown that attacking methods based on adversarial samples can be used for privacy-preserving purposes [ 29 , 30 , 31 , 32 , 33 ]: in this case, data are intentionally modified to avoid unauthorized information extraction by fooling the unauthorized software.…”

Section: Introductionmentioning

confidence: 99%

“…On the other hand, unrestricted attacks use large unconstrained

-bounded perturbations manipulating the image to create adversary photorealistic instances. In this case, the intent is not to restrict the transformations on pixels but to limit the human perception that a transformation has been applied [ 17 , 42 , 43 ].…”

Section: Introductionmentioning

confidence: 99%

Lie to Me: Shield Your Emotions from Prying Software

Baia

Biondi

Franzoni

et al. 2022

Sensors

View full text Add to dashboard Cite

Deep learning approaches for facial Emotion Recognition (ER) obtain high accuracy on basic models, e.g., Ekman’s models, in the specific domain of facial emotional expressions. Thus, facial tracking of users’ emotions could be easily used against the right to privacy or for manipulative purposes. As recent studies have shown that deep learning models are susceptible to adversarial examples (images intentionally modified to fool a machine learning classifier) we propose to use them to preserve users’ privacy against ER. In this paper, we present a technique for generating Emotion Adversarial Attacks (EAAs). EAAs are performed applying well-known image filters inspired from Instagram, and a multi-objective evolutionary algorithm is used to determine the per-image best filters attacking combination. Experimental results on the well-known AffectNet dataset of facial expressions show that our approach successfully attacks emotion classifiers to protect user privacy. On the other hand, the quality of the images from the human perception point of view is maintained. Several experiments with different sequences of filters are run and show that the Attack Success Rate is very high, above 90% for every test.

show abstract

“…Such methods require either access to the targeted network architecture [2] or additional resources like pretrained networks to perform image segmentation [3], colorization and style transfer [4]. In some cases, it is necessary to train neural networks from scratch for each image in order to find effective adversarial perturbations [5].…”

Section: Introduction and Related Workmentioning

confidence: 99%