Demiguise Attack: Crafting Invisible Semantic Adversarial Perturbations with Perceptual Similarity

TL;DR

This paper introduces Demiguise Attack, a method for creating highly effective, photorealistic adversarial examples that are perceptually similar to original images, challenging defenses and human perception.

Contribution

The paper proposes a novel approach to generate unrestricted, perceptually similar adversarial examples using Perceptual Similarity, improving attack success and robustness over existing methods.

Findings

Outperforms state-of-the-art attacks in fooling rate and transferability

Enhances robustness against defenses like noise reduction filters

Simulates real-world illumination and contrast changes

Abstract

Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples. Adversarial examples are malicious images with visually imperceptible perturbations. While these carefully crafted perturbations restricted with tight $\Lp$ norm bounds are small, they are still easily perceivable by humans. These perturbations also have limited success rates when attacking black-box models or models with defenses like noise reduction filters. To solve these problems, we propose Demiguise Attack, crafting ``unrestricted'' perturbations with Perceptual Similarity. Specifically, we can create powerful and photorealistic adversarial examples by manipulating semantic information based on Perceptual Similarity. Adversarial examples we generate are friendly to the human visual system (HVS), although the perturbations are of large magnitudes. We extend widely-used attacks with our approach, enhancing adversarial effectiveness impressively while contributing to imperceptibility. Extensive experiments show that the proposed method not only outperforms various state-of-the-art attacks in terms of fooling rate, transferability, and robustness against defenses but can also improve attacks effectively. In addition, we also notice that our implementation can simulate illumination and contrast changes that occur in real-world scenarios, which will contribute to exposing the blind spots of DNNs.