Adversarial Image Color Transformations in Explicit Color Filter Space

TL;DR

This paper introduces AdvCF, a gradient-optimized color transformation attack in an explicit color filter space, enabling systematic analysis of model robustness and outperforming existing methods in fooling classifiers and human interpretability.

Contribution

We propose AdvCF, a novel explicit color filter space for adversarial attacks, allowing systematic robustness analysis and demonstrating superiority over existing color transformation attacks.

Findings

AdvCF effectively fools classifiers more than existing attacks.

AdvCF is more human-interpretable and efficient.

Insights into model robustness against color transformations.

Abstract

Deep Neural Networks have been shown to be vulnerable to adversarial images. Conventional attacks strive for indistinguishable adversarial images with strictly restricted perturbations. Recently, researchers have moved to explore distinguishable yet non-suspicious adversarial images and demonstrated that color transformation attacks are effective. In this work, we propose Adversarial Color Filter (AdvCF), a novel color transformation attack that is optimized with gradient information in the parameter space of a simple color filter. In particular, our color filter space is explicitly specified so that we are able to provide a systematic analysis of model robustness against adversarial color transformations, from both the attack and defense perspectives. In contrast, existing color transformation attacks do not offer the opportunity for systematic analysis due to the lack of such an explicit space. We further demonstrate the effectiveness of our AdvCF in fooling image classifiers and also compare it with other color transformation attacks regarding their robustness to defenses and image acceptability through an extensive user study. We also highlight the human-interpretability of AdvCF and show its superiority over the state-of-the-art human-interpretable color transformation attack on both image acceptability and efficiency. Additional results provide interesting new insights into model robustness against AdvCF in another three visual tasks.