Unrestricted Adversarial Examples via Semantic Manipulation

TL;DR

This paper introduces a novel approach to creating photorealistic adversarial examples by manipulating semantic image features like color and texture, challenging current defenses and affecting multiple vision tasks.

Contribution

It proposes unrestricted, semantically manipulated adversarial examples that are effective against various defenses and applicable to complex tasks like classification and captioning.

Findings

Effective against JPEG compression and feature squeezing defenses.

Applicable to image classification and captioning on ImageNet and MSCOCO.

Generated examples are photorealistic to humans despite large perturbations.

Abstract

Machine learning models, especially deep neural networks (DNNs), have been shown to be vulnerable against adversarial examples which are carefully crafted samples with a small magnitude of the perturbation. Such adversarial perturbations are usually restricted by bounding their $\mathcal{L}_p$ norm such that they are imperceptible, and thus many current defenses can exploit this property to reduce their adversarial impact. In this paper, we instead introduce "unrestricted" perturbations that manipulate semantically meaningful image-based visual descriptors - color and texture - in order to generate effective and photorealistic adversarial examples. We show that these semantically aware perturbations are effective against JPEG compression, feature squeezing and adversarially trained model. We also show that the proposed methods can effectively be applied to both image classification and image captioning tasks on complex datasets such as ImageNet and MSCOCO. In addition, we conduct comprehensive user studies to show that our generated semantic adversarial examples are photorealistic to humans despite large magnitude perturbations when compared to other attacks.