Natural Manipulation Methods of Images for Adversarial Attack on Deep Neural Networks

Abstract

Deep neural networks(DNNs) have achieved great success in various computer vision fields such as autonomous driving, face recognition, medical imaging and object detection. They are changing the way we interact with the world and bringing in much convenience in our life and study. However, a well-trained deep neural network can be attacked by malicious manipulation. An attacker deliberately designs on input data to cause the networks to make a mistake, this is called the adversarial attack on deep learning. The input data generated through the adversarial attack method is known as an adversarial example. Adversarial attack is an important aspect in Artificial Intelligence(AI) because they represent a concrete problem in Artificial Intelligence safety. At the moment, a common adversarial attack method is that adding some adversarial perturbations to pixel space of input images and they are used to elicit the misclassifications of networks. In the image classification task, feature extraction and classification function are important steps in the networks building process. These malicious perturbations can have negative effect on feature extraction and classification function of networks. Usually, attackers make the adversarial perturbations by limiting the measures in order to prevent detection with naked eye. Even then, sometimes the pixel-based adversarial perturbations can make the image unnatural and they easily detected. In this paper, we propose two new adversarial attack methods to generate a variety of more natural adversarial examples: (1)Universal adversarial image stamp-based adversarial attack, (2)Semantic face transformation-based adversarial attack. Comprehensive experiments are also conducted to show that the accuracy of classification networks can be reduced using our adversarial attack methods.