Generating Adversarial Images in Quantized Domains

Bonnet, Benoit; Furon, Teddy; Bas, Patrick

Document type :

Article dans une revue scientifique

DOI :

10.1109/TIFS.2021.3138616

Title :

Generating Adversarial Images in Quantized Domains

Author(s) :

Bonnet, Benoit [Auteur]
Institut de Recherche en Informatique et Systèmes Aléatoires [IRISA]
Furon, Teddy [Auteur]
Institut de Recherche en Informatique et Systèmes Aléatoires [IRISA]
Bas, Patrick [Auteur]

Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189 [CRIStAL]

Journal title :

IEEE Transactions on Information Forensics and Security

Publisher :

Institute of Electrical and Electronics Engineers

Publication date :

2022

ISSN :

1556-6013

HAL domain(s) :

Sciences de l'ingénieur [physics]/Traitement du signal et de l'image [eess.SP]

English abstract : [en]

Many adversarial attacks produce floating-point tensors which are no longer adversarial when converted to raster or JPEG images due to rounding. This paper proposes a method dedicated to quantize adversarial perturbations. ...
Show more >Many adversarial attacks produce floating-point tensors which are no longer adversarial when converted to raster or JPEG images due to rounding. This paper proposes a method dedicated to quantize adversarial perturbations. This "smart" quantization is conveniently implemented as versatile post-processing. It can be used on top of any white-box attack targeting any model. Its principle is tantamount to a constrained optimization problem aiming to minimize the quantization error while keeping the image adversarial after quantization. A Lagrangian formulation is proposed and an appropriate search of the Lagrangian multiplier enables to increase the success rate. We also add a control mechanism of the ∞-distortion. Our method operates in both spatial and JPEG domains with little complexity. This study shows that forging adversarial images is not a hard constraint: our quantization does not introduce any extra distortion. Moreover, adversarial images quantized as JPEG also challenge defenses relying on the robustness of neural networks against JPEG compression.Show less >

Language :

Anglais

Peer reviewed article :

Oui

Audience :

Internationale

Popular science :

Non

ANR Project :

Utilisation de grandes bases d'images hétérogènes en stéganalyse pour se rapprocher d'un contexte opérationnel
Outils pour la détection de manipulation d'images numériques.
Sécurité de l'Intelligence Artificielle pour des Applications Défense

Collections :