Generating Adversarial Images in Quantized Domains

Bonnet, Benoit; Furon, Teddy; Bas, Patrick

Type de document :

Compte-rendu et recension critique d'ouvrage

DOI :

10.1109/TIFS.2021.3138616

Titre :

Generating Adversarial Images in Quantized Domains

Auteur(s) :

Bonnet, Benoit [Auteur]
Creating and exploiting explicit links between multimedia fragments [LinkMedia]
Furon, Teddy [Auteur]
Creating and exploiting explicit links between multimedia fragments [LinkMedia]
Bas, Patrick [Auteur]

Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 [CRIStAL]

Titre de la revue :

IEEE Transactions on Information Forensics and Security

Éditeur :

Institute of Electrical and Electronics Engineers

Date de publication :

2022

ISSN :

1556-6013

Discipline(s) HAL :

Sciences de l'ingénieur [physics]/Traitement du signal et de l'image [eess.SP]

Résumé en anglais : [en]

Many adversarial attacks produce floating-point tensors which are no longer adversarial when converted to raster or JPEG images due to rounding. This paper proposes a method dedicated to quantize adversarial perturbations. ...
Lire la suite >Many adversarial attacks produce floating-point tensors which are no longer adversarial when converted to raster or JPEG images due to rounding. This paper proposes a method dedicated to quantize adversarial perturbations. This "smart" quantization is conveniently implemented as versatile post-processing. It can be used on top of any white-box attack targeting any model. Its principle is tantamount to a constrained optimization problem aiming to minimize the quantization error while keeping the image adversarial after quantization. A Lagrangian formulation is proposed and an appropriate search of the Lagrangian multiplier enables to increase the success rate. We also add a control mechanism of the ∞-distortion. Our method operates in both spatial and JPEG domains with little complexity. This study shows that forging adversarial images is not a hard constraint: our quantization does not introduce any extra distortion. Moreover, adversarial images quantized as JPEG also challenge defenses relying on the robustness of neural networks against JPEG compression.Lire moins >

Langue :

Anglais

Vulgarisation :

Non

Projet ANR :

Utilisation de grandes bases d'images hétérogènes en stéganalyse pour se rapprocher d'un contexte opérationnel
Outils pour la détection de manipulation d'images numériques.
Sécurité de l'Intelligence Artificielle pour des Applications Défense

Collections :