The Effect of Class Definitions on the Transferability of Adversarial Attacks Against Forensic CNNs

TL;DR

This paper investigates how the specific class definitions used during training affect the transferability of adversarial attacks on forensic CNNs, revealing that attacks are less transferable when class definitions differ, even with identical architectures.

Contribution

It demonstrates that adversarial attacks on forensic CNNs are less transferable across models with different class definitions, highlighting a new factor influencing attack robustness.

Findings

Adversarial attacks fail to transfer between CNNs with different class definitions.

Transferability of attacks is significantly reduced even between identical architectures with different class labels.

Implications for designing forensic CNNs resistant to adversarial attacks.

Abstract

In recent years, convolutional neural networks (CNNs) have been widely used by researchers to perform forensic tasks such as image tampering detection. At the same time, adversarial attacks have been developed that are capable of fooling CNN-based classifiers. Understanding the transferability of adversarial attacks, i.e. an attacks ability to attack a different CNN than the one it was trained against, has important implications for designing CNNs that are resistant to attacks. While attacks on object recognition CNNs are believed to be transferrable, recent work by Barni et al. has shown that attacks on forensic CNNs have difficulty transferring to other CNN architectures or CNNs trained using different datasets. In this paper, we demonstrate that adversarial attacks on forensic CNNs are even less transferrable than previously thought even between virtually identical CNN architectures! We show that several common adversarial attacks against CNNs trained to identify image manipulation fail to transfer to CNNs whose only difference is in the class definitions (i.e. the same CNN architectures trained using the same data). We note that all formulations of class definitions contain the unaltered class. This has important implications for the future design of forensic CNNs that are robust to adversarial and anti-forensic attacks.