GreedyFool: Multi-Factor Imperceptibility and Its Application to Designing a Black-box Adversarial Attack

TL;DR

This paper introduces GreedyFool, a black-box adversarial attack leveraging a multi-factor perceptual metric, MulFactorLoss, which considers human visual system factors to generate more imperceptible adversarial examples with high success rates.

Contribution

It proposes a novel multi-factor perceptual metric, MulFactorLoss, and a black-box attack method, GreedyFool, that effectively creates imperceptible adversarial examples considering human visual perception.

Findings

MulFactorLoss outperforms existing pixelwise metrics in imperceptibility.

GreedyFool achieves a 100% success rate in black-box adversarial attacks.

Extensive experiments and user studies validate the effectiveness of the proposed methods.

Abstract

Adversarial examples are well-designed input samples, in which perturbations are imperceptible to the human eyes, but easily mislead the output of deep neural networks (DNNs). Existing works synthesize adversarial examples by leveraging simple metrics to penalize perturbations, that lack sufficient consideration of the human visual system (HVS), which produces noticeable artifacts. To explore why the perturbations are visible, this paper summarizes four primary factors affecting the perceptibility of human eyes. Based on this investigation, we design a multi-factor metric MulFactorLoss for measuring the perceptual loss between benign examples and adversarial ones. In order to test the imperceptibility of the multi-factor metric, we propose a novel black-box adversarial attack that is referred to as GreedyFool. GreedyFool applies differential evolution to evaluate the effects of perturbed pixels on the confidence of a target DNN, and introduces greedy approximation to automatically generate adversarial perturbations. We conduct extensive experiments on the ImageNet and CIFRA-10 datasets and a comprehensive user study with 60 participants. The experimental results demonstrate that MulFactorLoss is a more imperceptible metric than the existing pixelwise metrics, and GreedyFool achieves a 100% success rate in a black-box manner.