Reversible Attack based on Local Visual Adversarial Perturbation

TL;DR

This paper introduces a reversible adversarial attack method that embeds recovery information into images using local visible perturbations and data hiding, allowing original images to be error-free recovered after attack.

Contribution

It proposes a novel reversible adversarial example generation technique based on local visible perturbations and reversible data hiding, improving image recovery and attack performance.

Findings

Successful error-free recovery of original images.

Effective attack performance on CIFAR-10 and ImageNet.

Reduced image distortion through compression and B-R-G embedding.

Abstract

Adding perturbations to images can mislead classification models to produce incorrect results. Recently, researchers exploited adversarial perturbations to protect image privacy from retrieval by intelligent models. However, adding adversarial perturbations to images destroys the original data, making images useless in digital forensics and other fields. To prevent illegal or unauthorized access to sensitive image data such as human faces without impeding legitimate users, the use of reversible adversarial attack techniques is increasing. The original image can be recovered from its reversible adversarial examples. However, existing reversible adversarial attack methods are designed for traditional imperceptible adversarial perturbations and ignore the local visible adversarial perturbation. In this paper, we propose a new method for generating reversible adversarial examples based on local visible adversarial perturbation. The information needed for image recovery is embedded into the area beyond the adversarial patch by the reversible data hiding technique. To reduce image distortion, lossless compression and the B-R-G (bluered-green) embedding principle are adopted. Experiments on CIFAR-10 and ImageNet datasets show that the proposed method can restore the original images error-free while ensuring good attack performance.