Imperceptible Adversarial Examples by Spatial Chroma-Shift

TL;DR

This paper introduces a novel method for generating imperceptible adversarial examples by applying spatial chroma-shift transformations, which fool neural networks while remaining visually natural and less detectable to humans.

Contribution

The authors propose a new adversarial attack technique that modifies only chrominance channels through spatial shifts, resulting in more natural-looking adversarial examples with high fooling rates.

Findings

Achieves high fooling rates on CIFAR-10 and NIPS datasets.

Produces adversarial examples with better perceptual quality scores.

Human studies confirm the natural appearance of the examples.

Abstract

Deep Neural Networks have been shown to be vulnerable to various kinds of adversarial perturbations. In addition to widely studied additive noise based perturbations, adversarial examples can also be created by applying a per pixel spatial drift on input images. While spatial transformation based adversarial examples look more natural to human observers due to absence of additive noise, they still possess visible distortions caused by spatial transformations. Since the human vision is more sensitive to the distortions in the luminance compared to those in chrominance channels, which is one of the main ideas behind the lossy visual multimedia compression standards, we propose a spatial transformation based perturbation method to create adversarial examples by only modifying the color components of an input image. While having competitive fooling rates on CIFAR-10 and NIPS2017 Adversarial Learning Challenge datasets, examples created with the proposed method have better scores with regards to various perceptual quality metrics. Human visual perception studies validate that the examples are more natural looking and often indistinguishable from their original counterparts.