Structure matters: Towards generating transferable adversarial images

Dan Peng; Zizhan Zheng; Linhao Luo; Xiaofeng Zhang

doi:10.3233/FAIA200247

Structure matters: Towards generating transferable adversarial images

Dan Peng
, Zizhan Zheng
, Linhao Luo
, Xiaofeng Zhang

Harbin Institute of Technology Shenzhen
Tulane University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Recent works on adversarial examples for image classification focus on directly modifying pixels with minor perturbations. The small perturbation requirement is imposed to ensure the generated adversarial examples being natural and realistic to humans, which, however, puts a curb on the attack space thus limiting the attack ability and transferability especially for systems protected by a defense mechanism. In this paper, we propose the novel concepts of structure patterns and structure-aware perturbations that relax the small perturbation constraint while still keeping images natural. The key idea of our approach is to allow perceptible deviation in adversarial examples while keeping structure patterns that are central to a human classifier. Built upon these concepts, we propose a structure-preserving attack (SPA) for generating natural adversarial examples with extremely high transferability. Empirical results on the MNIST and the CIFAR10 datasets show that SPA exhibits strong attack ability in both the white-box and black-box setting even defenses are applied. Moreover, with the integration of PGD or CW attack, its attack ability escalates sharply under the white-box setting, without losing the outstanding transferability inherited from SPA.

Original language	English
Title of host publication	ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings
Editors	Giuseppe De Giacomo, Alejandro Catala, Bistra Dilkina, Michela Milano, Senen Barro, Alberto Bugarin, Jerome Lang
Publisher	IOS Press BV
Pages	1419-1426
Number of pages	8
ISBN (Electronic)	9781643681009
DOIs	https://doi.org/10.3233/FAIA200247
State	Published - 24 Aug 2020
Externally published	Yes
Event	24th European Conference on Artificial Intelligence, ECAI 2020, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Santiago de Compostela, Online, Spain Duration: 29 Aug 2020 → 8 Sep 2020

Publication series

Name	Frontiers in Artificial Intelligence and Applications
Volume	325
ISSN (Print)	0922-6389
ISSN (Electronic)	1879-8314

Conference

Conference	24th European Conference on Artificial Intelligence, ECAI 2020, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020
Country/Territory	Spain
City	Santiago de Compostela, Online
Period	29/08/20 → 8/09/20

Access to Document

10.3233/FAIA200247

Cite this

Peng, D., Zheng, Z., Luo, L., & Zhang, X. (2020). Structure matters: Towards generating transferable adversarial images. In G. De Giacomo, A. Catala, B. Dilkina, M. Milano, S. Barro, A. Bugarin, & J. Lang (Eds.), ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings (pp. 1419-1426). (Frontiers in Artificial Intelligence and Applications; Vol. 325). IOS Press BV. https://doi.org/10.3233/FAIA200247

Peng, Dan ; Zheng, Zizhan ; Luo, Linhao et al. / Structure matters : Towards generating transferable adversarial images. ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings. editor / Giuseppe De Giacomo ; Alejandro Catala ; Bistra Dilkina ; Michela Milano ; Senen Barro ; Alberto Bugarin ; Jerome Lang. IOS Press BV, 2020. pp. 1419-1426 (Frontiers in Artificial Intelligence and Applications).

@inproceedings{7ad50aae3b944a58bb3fad9c45949de2,

title = "Structure matters: Towards generating transferable adversarial images",

abstract = "Recent works on adversarial examples for image classification focus on directly modifying pixels with minor perturbations. The small perturbation requirement is imposed to ensure the generated adversarial examples being natural and realistic to humans, which, however, puts a curb on the attack space thus limiting the attack ability and transferability especially for systems protected by a defense mechanism. In this paper, we propose the novel concepts of structure patterns and structure-aware perturbations that relax the small perturbation constraint while still keeping images natural. The key idea of our approach is to allow perceptible deviation in adversarial examples while keeping structure patterns that are central to a human classifier. Built upon these concepts, we propose a structure-preserving attack (SPA) for generating natural adversarial examples with extremely high transferability. Empirical results on the MNIST and the CIFAR10 datasets show that SPA exhibits strong attack ability in both the white-box and black-box setting even defenses are applied. Moreover, with the integration of PGD or CW attack, its attack ability escalates sharply under the white-box setting, without losing the outstanding transferability inherited from SPA.",

author = "Dan Peng and Zizhan Zheng and Linhao Luo and Xiaofeng Zhang",

note = "Publisher Copyright: {\textcopyright} 2020 The authors and IOS Press.; 24th European Conference on Artificial Intelligence, ECAI 2020, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 ; Conference date: 29-08-2020 Through 08-09-2020",

year = "2020",

month = aug,

day = "24",

doi = "10.3233/FAIA200247",

language = "英语",

series = "Frontiers in Artificial Intelligence and Applications",

publisher = "IOS Press BV",

pages = "1419--1426",

editor = "\{De Giacomo\}, Giuseppe and Alejandro Catala and Bistra Dilkina and Michela Milano and Senen Barro and Alberto Bugarin and Jerome Lang",

booktitle = "ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings",

address = "荷兰",

}

Peng, D, Zheng, Z, Luo, L & Zhang, X 2020, Structure matters: Towards generating transferable adversarial images. in G De Giacomo, A Catala, B Dilkina, M Milano, S Barro, A Bugarin & J Lang (eds), ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings. Frontiers in Artificial Intelligence and Applications, vol. 325, IOS Press BV, pp. 1419-1426, 24th European Conference on Artificial Intelligence, ECAI 2020, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020, Santiago de Compostela, Online, Spain, 29/08/20. https://doi.org/10.3233/FAIA200247

Structure matters: Towards generating transferable adversarial images. / Peng, Dan; Zheng, Zizhan; Luo, Linhao et al.
ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings. ed. / Giuseppe De Giacomo; Alejandro Catala; Bistra Dilkina; Michela Milano; Senen Barro; Alberto Bugarin; Jerome Lang. IOS Press BV, 2020. p. 1419-1426 (Frontiers in Artificial Intelligence and Applications; Vol. 325).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Structure matters

T2 - 24th European Conference on Artificial Intelligence, ECAI 2020, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020

AU - Peng, Dan

AU - Zheng, Zizhan

AU - Luo, Linhao

AU - Zhang, Xiaofeng

PY - 2020/8/24

Y1 - 2020/8/24

N2 - Recent works on adversarial examples for image classification focus on directly modifying pixels with minor perturbations. The small perturbation requirement is imposed to ensure the generated adversarial examples being natural and realistic to humans, which, however, puts a curb on the attack space thus limiting the attack ability and transferability especially for systems protected by a defense mechanism. In this paper, we propose the novel concepts of structure patterns and structure-aware perturbations that relax the small perturbation constraint while still keeping images natural. The key idea of our approach is to allow perceptible deviation in adversarial examples while keeping structure patterns that are central to a human classifier. Built upon these concepts, we propose a structure-preserving attack (SPA) for generating natural adversarial examples with extremely high transferability. Empirical results on the MNIST and the CIFAR10 datasets show that SPA exhibits strong attack ability in both the white-box and black-box setting even defenses are applied. Moreover, with the integration of PGD or CW attack, its attack ability escalates sharply under the white-box setting, without losing the outstanding transferability inherited from SPA.

AB - Recent works on adversarial examples for image classification focus on directly modifying pixels with minor perturbations. The small perturbation requirement is imposed to ensure the generated adversarial examples being natural and realistic to humans, which, however, puts a curb on the attack space thus limiting the attack ability and transferability especially for systems protected by a defense mechanism. In this paper, we propose the novel concepts of structure patterns and structure-aware perturbations that relax the small perturbation constraint while still keeping images natural. The key idea of our approach is to allow perceptible deviation in adversarial examples while keeping structure patterns that are central to a human classifier. Built upon these concepts, we propose a structure-preserving attack (SPA) for generating natural adversarial examples with extremely high transferability. Empirical results on the MNIST and the CIFAR10 datasets show that SPA exhibits strong attack ability in both the white-box and black-box setting even defenses are applied. Moreover, with the integration of PGD or CW attack, its attack ability escalates sharply under the white-box setting, without losing the outstanding transferability inherited from SPA.

UR - https://www.scopus.com/pages/publications/85091800698

U2 - 10.3233/FAIA200247

DO - 10.3233/FAIA200247

M3 - 会议稿件

AN - SCOPUS:85091800698

T3 - Frontiers in Artificial Intelligence and Applications

SP - 1419

EP - 1426

BT - ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings

A2 - De Giacomo, Giuseppe

A2 - Catala, Alejandro

A2 - Dilkina, Bistra

A2 - Milano, Michela

A2 - Barro, Senen

A2 - Bugarin, Alberto

A2 - Lang, Jerome

PB - IOS Press BV

Y2 - 29 August 2020 through 8 September 2020

ER -

Peng D, Zheng Z, Luo L, Zhang X. Structure matters: Towards generating transferable adversarial images. In De Giacomo G, Catala A, Dilkina B, Milano M, Barro S, Bugarin A, Lang J, editors, ECAI 2020 - 24th European Conference on Artificial Intelligence, including 10th Conference on Prestigious Applications of Artificial Intelligence, PAIS 2020 - Proceedings. IOS Press BV. 2020. p. 1419-1426. (Frontiers in Artificial Intelligence and Applications). doi: 10.3233/FAIA200247

Structure matters: Towards generating transferable adversarial images

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this